Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:Set-up.exe
Analysis ID:1579083
MD5:cf434586b9c7be034528e12c545e0718
SHA1:7bd4c423ca38d0146f52ba0fca62e5d2940eb8c0
SHA256:d10d8c2f7fddee36a66d334f129f2cecf2539034c55bea2218e285e85d9193fc
Tags:exeuser-aachum
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files

Classification

  • System is w10x64
  • Set-up.exe (PID: 2792 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: CF434586B9C7BE034528E12C545E0718)
    • WerFault.exe (PID: 6084 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 944 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Set-up.exeReversingLabs: Detection: 34%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.0% probability
Source: Set-up.exe, 00000000.00000002.2444661274.000000000097D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_f1893a8d-8
Source: Set-up.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Set-up.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.sevkx17vs.top
Source: Set-up.exeString found in binary or memory: http://.css
Source: Set-up.exeString found in binary or memory: http://.jpg
Source: Set-up.exeString found in binary or memory: http://home.sevkx17vs.top/TYELKNoHAuZzdCMGzBXk17
Source: Set-up.exe, 00000000.00000003.2366803640.000000000127B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.sevkx17vs.top/TYELKNoHAuZzdCMGzBXk1733202266
Source: Set-up.exe, 00000000.00000002.2445197306.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2366803640.000000000127B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.sevkx17vs.top/TYELKNoHAuZzdCMGzBXk17332022666963
Source: Set-up.exe, 00000000.00000002.2444587645.000000000097C000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.sevkx17vs.top/TYELKNoHAuZzdCMGzBXk1733202266http://home.sevkx17vs.top/TYELKNoHAuZzdCMGzB
Source: Set-up.exeString found in binary or memory: http://html4/loose.dtd
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: Set-up.exeString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exeString found in binary or memory: https://curl.se/docs/hsts.html
Source: Set-up.exeString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Set-up.exeString found in binary or memory: https://httpbin.org/ip
Source: Set-up.exeString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: C:\Users\user\Desktop\Set-up.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 944
Source: Set-up.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Set-up.exeBinary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd
Source: classification engineClassification label: mal56.evad.winEXE@2/5@14/1
Source: C:\Users\user\Desktop\Set-up.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2792
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\34e44fad-727a-446d-aa92-a7f847e890feJump to behavior
Source: Set-up.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Set-up.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Set-up.exeReversingLabs: Detection: 34%
Source: Set-up.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectorysystem_win32.c@
Source: Set-up.exeString found in binary or memory: in-addr.arpa
Source: Set-up.exeString found in binary or memory: 8L0123456789abcdefin-addr.arpaip6.arpa
Source: Set-up.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: Set-up.exeString found in binary or memory: JM[\Unable to allocate space for channel dataFailed allocating memory for channel type nameUnable to allocate temporary space for packetWould block sending channel-open requestUnable to send channel-open requestWould blockUnexpected errorUnexpected packet sizeChannel open failure (administratively prohibited)Channel open failure (connect failed)Channel open failure (unknown channel type)Channel open failure (resource shortage)Channel open failureUnable to allocate memory for setenv packetcancel-tcpip-forwardWould block sending forward requestUnable to send global-request packet for forward listen requestauth-agent-req@openssh.comauth-agent-reqcdChannel can not be reusedUnable to allocate memory for channel-process requestWould block sending channel requestUnable to send channel requestFailed waiting for channel successUnable to complete request for channel-process-startupUnexpected packet lengthUnable to allocate memory for signal nameWould block sending window adjustUnable to send transfer-window adjustment packet, deferringtransport readwould blockWe have already closed this channelEOF has already been received, data might be ignoredFailure while draining incoming flowUnable to send channel dataUnable to send EOF, but closing channel anywayWould block sending close-channelUnable to send close-channel request, but closing anywaysessionchannel.cUnable to allocate memory for direct-tcpip connectiondirect-tcpipUnable to allocate memory for direct-streamlocal connectiondirect-streamlocal@openssh.comQR0.0.0.0tcpip-forwardWould block sending global-request packet for forward listen requestUnknownUnable to allocate memory for listener queueUnable to complete request for forward-listenWould block waiting for packetChannel not foundcdenvWould block sending setenv requestUnable to send channel-request packet for setenv requestFailed getting response for channel-setenvUnable to complete request for channel-setenvcdWould block sending auth-agent requestUnable to send auth-agent requestFailed to request auth-agentUnable to complete request for auth-agentcdterm + mode lengths too largepty-reqWould block sending pty requestUnable to send pty-request packetFailed to require the PTY packageUnable to complete request for channel request-ptywindow-changeWould block sending window-change requestUnable to send window-change packetcdUnable to allocate memory for pty-requestx11-reqMIT-MAGIC-COOKIE-1Unable to get random bytes for x11-req cookie%02XWould block sending X11-req packetUnable to send x11-req packetwaiting for x11-req response packetUnable to complete request for channel x11-reqWould block sending EOFUnable to send EOF on channelReceiving channel window has been exhausted_libssh2_transport_read() bailed out!libssh2_channel_wait_closed() invoked when channel is not in EOF stateUnable to allocate memory for signal requestsignalWould block sending signal requestUnable to send signal packetecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521blocksize <= siz
Source: Set-up.exeString found in binary or memory: id-cmc-addExtensions
Source: Set-up.exeString found in binary or memory: set-addPolicy
Source: Set-up.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: unknownProcess created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 944
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeSection loaded: winrnr.dllJump to behavior
Source: Set-up.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Set-up.exeStatic file information: File size 7894016 > 1048576
Source: Set-up.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x49ec00
Source: Set-up.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x15cc00
Source: Set-up.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x151000
Source: Set-up.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Set-up.exeStatic PE information: section name: .eh_fram
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: Set-up.exeBinary or memory string: PROCMON.EXE
Source: Set-up.exeBinary or memory string: X64DBG.EXE
Source: Set-up.exeBinary or memory string: WINDBG.EXE
Source: Set-up.exeBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Set-up.exeBinary or memory string: WIRESHARK.EXE
Source: C:\Users\user\Desktop\Set-up.exe TID: 3872Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Set-up.exe TID: 3872Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Set-up.exe, 00000000.00000003.2091463805.00000000010C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: Set-up.exeBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Set-up.exe, 00000000.00000003.2091183408.0000000001265000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2445197306.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2366803640.000000000127B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Set-up.exeBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\Set-up.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Set-up.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Set-up.exe, Set-up.exe, 00000000.00000002.2444661274.000000000097D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Set-up.exe, Set-up.exe, 00000000.00000002.2444661274.000000000097D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
2
Virtualization/Sandbox Evasion
OS Credential Dumping121
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory2
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
Remote System Discovery
Distributed Component Object ModelInput Capture3
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets13
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Set-up.exe34%ReversingLabsWin32.Infostealer.Tinba
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
httpbin.org
34.226.108.155
truefalse
    high
    home.sevkx17vs.top
    unknown
    unknownfalse
      high
      NameMaliciousAntivirus DetectionReputation
      https://httpbin.org/ipfalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlSet-up.exefalse
          high
          http://html4/loose.dtdSet-up.exefalse
            high
            https://httpbin.org/ipbeforeSet-up.exefalse
              high
              https://curl.se/docs/http-cookies.htmlSet-up.exefalse
                high
                http://home.sevkx17vs.top/TYELKNoHAuZzdCMGzBXk17Set-up.exefalse
                  unknown
                  http://home.sevkx17vs.top/TYELKNoHAuZzdCMGzBXk17332022666963Set-up.exe, 00000000.00000002.2445197306.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2366803640.000000000127B000.00000004.00000020.00020000.00000000.sdmpfalse
                    unknown
                    http://home.sevkx17vs.top/TYELKNoHAuZzdCMGzBXk1733202266Set-up.exe, 00000000.00000003.2366803640.000000000127B000.00000004.00000020.00020000.00000000.sdmpfalse
                      unknown
                      http://home.sevkx17vs.top/TYELKNoHAuZzdCMGzBXk1733202266http://home.sevkx17vs.top/TYELKNoHAuZzdCMGzBSet-up.exe, 00000000.00000002.2444587645.000000000097C000.00000004.00000001.01000000.00000003.sdmpfalse
                        unknown
                        http://upx.sf.netAmcache.hve.4.drfalse
                          high
                          https://curl.se/docs/alt-svc.htmlSet-up.exefalse
                            high
                            http://.cssSet-up.exefalse
                              high
                              http://.jpgSet-up.exefalse
                                high
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                34.226.108.155
                                httpbin.orgUnited States
                                14618AMAZON-AESUSfalse
                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1579083
                                Start date and time:2024-12-20 19:21:18 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 7s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:8
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Set-up.exe
                                Detection:MAL
                                Classification:mal56.evad.winEXE@2/5@14/1
                                EGA Information:Failed
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 20.189.173.20, 40.126.53.21, 4.175.87.197, 13.107.246.63, 20.109.210.53
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target Set-up.exe, PID 2792 because there are no executed function
                                • VT rate limit hit for: Set-up.exe
                                TimeTypeDescription
                                13:22:14API Interceptor6x Sleep call for process: Set-up.exe modified
                                13:22:48API Interceptor1x Sleep call for process: WerFault.exe modified
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                34.226.108.155KNkr78hyig.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                  Tsy9P2T9yF.exeGet hashmaliciousUnknownBrowse
                                    kGxQbLOG7s.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                      HHFgVU1HGu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                        GxSEtDSBuK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                          ob4eL9Z1O4.exeGet hashmaliciousCryptbotBrowse
                                            nojxbVm8i4.exeGet hashmaliciousCryptbotBrowse
                                              WP6s7cCLzr.exeGet hashmaliciousUnknownBrowse
                                                oJkvQZYkrx.exeGet hashmaliciousUnknownBrowse
                                                  2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    httpbin.orgfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRATBrowse
                                                    • 98.85.100.80
                                                    t3VyxF5MmA.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    KNkr78hyig.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    Pm81aa8zii.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    avBx6p1FAX.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 98.85.100.80
                                                    Tsy9P2T9yF.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    kGxQbLOG7s.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    j6Nv9kUydV.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    q79Pocl81P.exeGet hashmaliciousCryptbotBrowse
                                                    • 98.85.100.80
                                                    28PCC9oa8s.exeGet hashmaliciousUnknownBrowse
                                                    • 98.85.100.80
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    AMAZON-AESUSphish_alert_iocp_v1.10.16(15).emlGet hashmaliciousUnknownBrowse
                                                    • 44.217.82.191
                                                    nshkarm5.elfGet hashmaliciousMiraiBrowse
                                                    • 54.24.234.33
                                                    nshkmips.elfGet hashmaliciousMiraiBrowse
                                                    • 54.134.19.128
                                                    nshkarm.elfGet hashmaliciousMiraiBrowse
                                                    • 54.236.222.80
                                                    KNkr78hyig.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    Tsy9P2T9yF.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    nshkppc.elfGet hashmaliciousMiraiBrowse
                                                    • 54.136.161.117
                                                    kGxQbLOG7s.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    ppc.elfGet hashmaliciousMiraiBrowse
                                                    • 3.221.94.196
                                                    HHFgVU1HGu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    • 34.226.108.155
                                                    No context
                                                    No context
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.9307019301777515
                                                    Encrypted:false
                                                    SSDEEP:192:jgabinlV+o30BU/wj4ZrMso5wzuiFqZ24IO8LG:RIlzEBU/wjuzuiFqY4IO8L
                                                    MD5:1DA4386BAD0C3B8D2852F1A798DD7455
                                                    SHA1:CDC44BEB0FA7E9E4DAB397FA8935D565672DF34A
                                                    SHA-256:67E4B4BC22C69A493D06D82DF0099A7FBF8FA5035E0C66CD403930B9DDED617D
                                                    SHA-512:2584B5263A741C5DA1198346D735F9A8590458AD056CE78C682B42C0DEEDB5C20A9C12A8A23B1D4D7766B20CAECAE51779A39A67AC1830F7443BCCB86295F687
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.1.9.2.5.3.6.6.0.3.4.5.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.1.9.2.5.3.7.0.5.6.5.8.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.5.7.6.4.e.0.-.9.7.4.3.-.4.9.a.d.-.b.f.4.5.-.b.4.c.9.8.7.b.1.9.a.e.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.e.0.3.7.9.1.-.2.1.7.7.-.4.f.1.6.-.a.5.6.8.-.7.c.9.9.4.e.0.6.a.a.5.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.t.-.u.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.e.8.-.0.0.0.1.-.0.0.1.4.-.b.c.3.b.-.e.d.1.5.0.c.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.7.b.a.1.5.1.0.9.b.6.9.3.2.d.7.6.c.b.3.8.f.e.0.1.d.a.1.0.a.2.2.0.0.0.0.f.f.f.f.!.0.0.0.0.7.b.d.4.c.4.2.3.c.a.3.8.d.0.1.4.6.f.5.2.b.a.0.f.c.a.6.2.e.5.d.2.9.4.0.e.b.8.c.0.!.S.e.t.-.u.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 15 streams, Fri Dec 20 18:22:16 2024, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):52666
                                                    Entropy (8bit):2.22332527307284
                                                    Encrypted:false
                                                    SSDEEP:192:8TSspkQNM2VCmltGOQdw6g6BrBYBx1ft4yJjw301vvvYiqXhxwOW8jtWO3y:2SJv2VCuRQ2WY1Jjw30BoiqXhuT4cO
                                                    MD5:F5DC12307A80FDF3984E842845F0B81F
                                                    SHA1:24AF4783651898C376BD02DED81FA66698758529
                                                    SHA-256:2C21149A7879575C93771147789362233B691BB32A061175C9A7CE432C8C0CF3
                                                    SHA-512:626EB191D59BA6E43E3E4E5F3A6DAC183ABACAC664436E7C69FA0DF5195D12C23836DE92B2B7C4C7B1840503E762C16EC1709CB08D1C01D4D35E5C3442BEC45B
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:MDMP..a..... ........eg................................................T...~/..........`.......8...........T............$..........................................................................................................eJ..............GenuineIntel............T............eg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8324
                                                    Entropy (8bit):3.6922259091050567
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJFu6I3Rq86YEIESU90dIEgmfxb+prl89b5JsfNgzm:R6lXJs6I3Y86YELSU90dIEgmfxbh5ifD
                                                    MD5:7822116D8DB363C6FC0221ED8856A50A
                                                    SHA1:3E97BDC56D9F92B0797C7931D7935A6325C8E667
                                                    SHA-256:8E6928D55F19DF4D924EAFA35AA89491F741398B5D52B0EA1720CBE09DF40D62
                                                    SHA-512:54921C56F97873D65DDCBADD83B96CBAC1987D133493C52CB82E74F6B0D49D75E719327882A4C653699C52CB0C76599AB2CF7D565496833767B1FE8C11DA1B01
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.9.2.<./.P.i.
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4574
                                                    Entropy (8bit):4.442784152866571
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsdJg77aI9dyVWpW8VYrYm8M4JJ5FB5+q8TPpxn4U+aglDwMdd:uIjf3I7rb7VLJ35CP4U+agLdd
                                                    MD5:9669343ED618D5186B3BE9651EF6CBF4
                                                    SHA1:9C6C8BA0F05BC73D7A51E1185F7A6353DAF4181A
                                                    SHA-256:5EF127FF787A8FAD609E1E530096822B3AE0C32F2703B2AB23AA07461DE02A3C
                                                    SHA-512:ECA43F4D61996BEDAFC51FACD5960E3B3AD539DE362BB3A1950F767361EF306737C99711A2990B6A60096DBAC266FFD0EF3F52832BA218714F00976B1E42E090
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="639924" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1835008
                                                    Entropy (8bit):4.421490883730044
                                                    Encrypted:false
                                                    SSDEEP:6144:CSvfpi6ceLP/9skLmb0OTcWSPHaJG8nAgeMZMMhA2fX4WABlEnNQ0uhiTw:RvloTcW+EZMM6DFyC03w
                                                    MD5:51C321DEED3F28A6F93E40F651CB2FA2
                                                    SHA1:5E2C96591134FA780DF9470B8F59471D2C966CA4
                                                    SHA-256:09296579A24DBB1052E495F9EB37B4C6E8D519A301C00CFEBA20B2EE111B34B4
                                                    SHA-512:C24F3130C0F6CA4D7522057E928DF598BE8BE76C0B8C05D744DCF167152C1256269B2453B8F094ACD078257F279693EC8511FD511D262DBFBB3EEA75121B1FCA
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmfd'..S................................................................................................................................................................................................................................................................................................................................................0-........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                    Entropy (8bit):5.791267450868342
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.53%
                                                    • InstallShield setup (43055/19) 0.43%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:Set-up.exe
                                                    File size:7'894'016 bytes
                                                    MD5:cf434586b9c7be034528e12c545e0718
                                                    SHA1:7bd4c423ca38d0146f52ba0fca62e5d2940eb8c0
                                                    SHA256:d10d8c2f7fddee36a66d334f129f2cecf2539034c55bea2218e285e85d9193fc
                                                    SHA512:eaa0dba624ec95adda61ab00a5bb61409b7fbc2535df3e89d7133852b3cd7bea83acd6ad11c902614afb30c1d7d29df5b868ad05afefcce16b5d5074310c46cb
                                                    SSDEEP:98304:zIeD/KFR0PZvt8Prmq7i/nSR9tfKVGyz:ZSFKFAyBe9tfHG
                                                    TLSH:6D863A61EE9781F5DAC305715056B73F6E31AF009825CEB6CF90FB34C672A12EA5E218
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ng...............(..I..px..2............J...@...........................x.......y...@... ............................
                                                    Icon Hash:00928e8e8686b000
                                                    Entrypoint:0x4014a0
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x674E92E6 [Tue Dec 3 05:11:02 2024 UTC]
                                                    TLS Callbacks:0x7890e0, 0x789090
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:81fb24115d5dd0de51b609f733724901
                                                    Instruction
                                                    mov dword ptr [00B55658h], 00000001h
                                                    jmp 00007F81E1A7B956h
                                                    nop
                                                    mov dword ptr [00B55658h], 00000000h
                                                    jmp 00007F81E1A7B946h
                                                    nop
                                                    sub esp, 1Ch
                                                    mov eax, dword ptr [esp+20h]
                                                    mov dword ptr [esp], eax
                                                    call 00007F81E1E031B6h
                                                    cmp eax, 01h
                                                    sbb eax, eax
                                                    add esp, 1Ch
                                                    ret
                                                    nop
                                                    nop
                                                    nop
                                                    nop
                                                    nop
                                                    nop
                                                    nop
                                                    nop
                                                    push ebp
                                                    mov ebp, esp
                                                    push edi
                                                    push esi
                                                    push ebx
                                                    sub esp, 1Ch
                                                    mov dword ptr [esp], 009FD000h
                                                    call dword ptr [00B579A0h]
                                                    sub esp, 04h
                                                    test eax, eax
                                                    je 00007F81E1A7BD15h
                                                    mov ebx, eax
                                                    mov dword ptr [esp], 009FD000h
                                                    call dword ptr [00B57A14h]
                                                    mov edi, dword ptr [00B579B4h]
                                                    sub esp, 04h
                                                    mov dword ptr [00B53028h], eax
                                                    mov dword ptr [esp+04h], 009FD013h
                                                    mov dword ptr [esp], ebx
                                                    call edi
                                                    sub esp, 08h
                                                    mov esi, eax
                                                    mov dword ptr [esp+04h], 009FD029h
                                                    mov dword ptr [esp], ebx
                                                    call edi
                                                    sub esp, 08h
                                                    mov dword ptr [008A0004h], eax
                                                    test esi, esi
                                                    je 00007F81E1A7BCB3h
                                                    mov dword ptr [esp+04h], 00B5302Ch
                                                    mov dword ptr [esp], 00B4E104h
                                                    call esi
                                                    mov dword ptr [esp], 00401580h
                                                    call 00007F81E1A7BC03h
                                                    lea esp, dword ptr [ebp-0Ch]
                                                    pop ebx
                                                    pop esi
                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x7570000x2d90.idata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x75c0000x326d8.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x7440e00x18.rdata
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x7578100x61c.idata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x49ea7c0x49ec00864fb5085ee1b4574db5be4837fdb817unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .data0x4a00000x15ca640x15cc0004666db6d7f0eeaedb8c13ae81f6c246False0.015552195340501791dBase III DBT, version number 0, next free block index 10, 1st item "\254\311z"0.23076010737827105IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rdata0x5fd0000x150f040x151000e7fd725278fee3497ee52adfb75d2641False0.4214185946772997data6.273674184307772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .eh_fram0x74e0000x4d300x4e005b1c8a08b7f4b12175d21cc89d0e4660False0.31921073717948717data4.890102423374675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .bss0x7530000x31800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .idata0x7570000x2d900x2e003e69c164c01d162128ddb4300315452fFalse0.36769701086956524data5.434079465623614IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .CRT0x75a0000x300x200fe2a65d4187b984679c52ae93485940eFalse0.0625data0.2233456448570176IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .tls0x75b0000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .reloc0x75c0000x326d80x32800679b23d1c372dff112ee9c7387d331d3False0.5063331528465347data6.655641022726191IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    DLLImport
                                                    ADVAPI32.dllCryptAcquireContextA, CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptEnumProvidersW, CryptExportKey, CryptGenRandom, CryptGetHashParam, CryptGetProvParam, CryptGetUserKey, CryptHashData, CryptReleaseContext, CryptSetHashParam, CryptSignHashW, DeregisterEventSource, RegCloseKey, RegEnumKeyExA, RegNotifyChangeKeyValue, RegOpenKeyExA, RegOpenKeyExW, RegQueryValueExA, RegisterEventSourceW, ReportEventW, SystemFunction036
                                                    bcrypt.dllBCryptGenRandom
                                                    CRYPT32.dllCertCloseStore, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertGetIntendedKeyUsage, CertOpenStore, CertOpenSystemStoreA, CertOpenSystemStoreW
                                                    GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, SelectObject
                                                    gdiplus.dllGdipGetImageEncoders, GdipGetImageEncodersSize, GdiplusShutdown, GdiplusStartup
                                                    IPHLPAPI.DLLConvertInterfaceIndexToLuid, ConvertInterfaceLuidToNameA, FreeMibTable, GetAdaptersAddresses, GetBestRoute2, GetUnicastIpAddressTable, if_indextoname, if_nametoindex
                                                    KERNEL32.dllAcquireSRWLockExclusive, CancelIo, CloseHandle, CompareFileTime, ConvertFiberToThread, ConvertThreadToFiberEx, CreateEventA, CreateFiberEx, CreateFileA, CreateFileMappingA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreW, CreateThread, CreateToolhelp32Snapshot, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, ExpandEnvironmentStringsA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileW, FormatMessageW, FreeLibrary, GetACP, GetConsoleMode, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetEnvironmentVariableA, GetEnvironmentVariableW, GetFileAttributesA, GetFileType, GetLastError, GetLogicalDriveStringsA, GetModuleFileNameA, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetThreadLocale, GetTickCount64, GetTickCount, GetTimeZoneInformation, GetVersion, GetVersionExA, GlobalMemoryStatusEx, HeapAlloc, HeapFree, InitializeConditionVariable, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, K32EnumProcesses, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, MapViewOfFile, MoveFileExA, MultiByteToWideChar, OpenProcess, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryFullProcessImageNameA, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleA, ReadConsoleW, ReadFile, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSemaphore, SetConsoleMode, SetFileCompletionNotificationModes, SetHandleInformation, SetLastError, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, SleepEx, SwitchToFiber, SystemTimeToFileTime, TlsAlloc, TlsGetValue, TlsSetValue, UnmapViewOfFile, UnregisterWait, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualLock, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeA, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteFile, lstrlenA
                                                    msvcrt.dll__mb_cur_max, __setusermatherr, _findclose, _fullpath, _lock, _strnicmp, _unlock, getc, islower, isxdigit, localeconv, ungetc, vfprintf, _findnext, _findfirst, _open
                                                    ole32.dllCreateStreamOnHGlobal
                                                    SHELL32.dllSHGetKnownFolderPath
                                                    api-ms-win-crt-convert-l1-1-0.dllatoi, mbstowcs, strtol, strtoll, strtoul, wcstombs
                                                    api-ms-win-crt-environment-l1-1-0.dll__p__environ, __p__wenviron, getenv
                                                    api-ms-win-crt-filesystem-l1-1-0.dll_fstat64, _stat64, _unlink
                                                    api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, calloc, free, malloc, realloc
                                                    api-ms-win-crt-locale-l1-1-0.dllsetlocale
                                                    api-ms-win-crt-math-l1-1-0.dll_fdopen
                                                    api-ms-win-crt-private-l1-1-0.dllmemchr, memcmp, memcpy, memmove, strchr, strrchr, strstr, wcsstr
                                                    api-ms-win-crt-runtime-l1-1-0.dll_set_app_type, __p___argc, __p___argv, __p___wargv, __p__acmdln, __sys_errlist, __sys_nerr, _assert, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _errno, _exit, _fpreset, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_invalid_parameter_handler, abort, exit, raise, signal, strerror
                                                    api-ms-win-crt-stdio-l1-1-0.dll__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfwprintf, __stdio_common_vsprintf, __stdio_common_vsscanf, __stdio_common_vswprintf, _fileno, _fseeki64, _lseeki64, _wfopen, _write, fclose, feof, ferror, fflush, fgets, fopen, fputc, fputs, fread, fseek, ftell, fwrite, rewind, setvbuf, _write, _setmode, _read, _open, _fileno, _close
                                                    api-ms-win-crt-string-l1-1-0.dll_strlwr_s, isspace, isupper, memset, strcat, strcmp, strcpy, strcspn, strlen, strncat, strncmp, strncpy, strpbrk, strspn, tolower, wcscat, wcscmp, wcscpy, wcslen, _wcsnicmp, _stricmp, _strdup, _strdup
                                                    api-ms-win-crt-time-l1-1-0.dll__daylight, __timezone, __tzname, _difftime32, _difftime64, _gmtime64, _mktime64, _time32, _time64, _tzset, strftime
                                                    api-ms-win-crt-utility-l1-1-0.dll_byteswap_uint64, bsearch, qsort, rand, srand
                                                    USER32.dllCharUpperA, EnumDisplayMonitors, EnumWindows, FindWindowA, GetDC, GetProcessWindowStation, GetSystemMetrics, GetUserObjectInformationW, GetWindowTextA, MessageBoxW, ReleaseDC, SendMessageA
                                                    WS2_32.dllWSACleanup, WSACloseEvent, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect, WSAGetLastError, WSAIoctl, WSAResetEvent, WSASetEvent, WSASetLastError, WSAStartup, WSAStringToAddressW, WSAWaitForMultipleEvents, __WSAFDIsSet, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, gethostname, getpeername, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 20, 2024 19:22:12.589756966 CET49704443192.168.2.534.226.108.155
                                                    Dec 20, 2024 19:22:12.589838028 CET4434970434.226.108.155192.168.2.5
                                                    Dec 20, 2024 19:22:12.589932919 CET49704443192.168.2.534.226.108.155
                                                    Dec 20, 2024 19:22:12.593008041 CET49704443192.168.2.534.226.108.155
                                                    Dec 20, 2024 19:22:12.593031883 CET4434970434.226.108.155192.168.2.5
                                                    Dec 20, 2024 19:22:14.343508005 CET4434970434.226.108.155192.168.2.5
                                                    Dec 20, 2024 19:22:14.344084024 CET49704443192.168.2.534.226.108.155
                                                    Dec 20, 2024 19:22:14.344172955 CET4434970434.226.108.155192.168.2.5
                                                    Dec 20, 2024 19:22:14.346215010 CET4434970434.226.108.155192.168.2.5
                                                    Dec 20, 2024 19:22:14.346288919 CET49704443192.168.2.534.226.108.155
                                                    Dec 20, 2024 19:22:14.347795963 CET49704443192.168.2.534.226.108.155
                                                    Dec 20, 2024 19:22:14.347948074 CET4434970434.226.108.155192.168.2.5
                                                    Dec 20, 2024 19:22:14.357144117 CET49704443192.168.2.534.226.108.155
                                                    Dec 20, 2024 19:22:14.357167006 CET4434970434.226.108.155192.168.2.5
                                                    Dec 20, 2024 19:22:14.400118113 CET49704443192.168.2.534.226.108.155
                                                    Dec 20, 2024 19:22:14.677545071 CET4434970434.226.108.155192.168.2.5
                                                    Dec 20, 2024 19:22:14.677897930 CET4434970434.226.108.155192.168.2.5
                                                    Dec 20, 2024 19:22:14.677978992 CET49704443192.168.2.534.226.108.155
                                                    Dec 20, 2024 19:22:14.678854942 CET49704443192.168.2.534.226.108.155
                                                    Dec 20, 2024 19:22:14.678889036 CET4434970434.226.108.155192.168.2.5
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 20, 2024 19:22:12.290247917 CET6285153192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:12.290522099 CET6285153192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:12.427997112 CET53628511.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:12.587848902 CET53628511.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:14.942513943 CET6285453192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:14.942627907 CET6285453192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:15.168756962 CET53628541.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:15.168770075 CET53628541.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:15.281305075 CET6285553192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:15.281305075 CET6285553192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:15.418998957 CET53628551.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:15.419015884 CET53628551.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:15.531671047 CET6285653192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:15.531671047 CET6285653192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:15.670814991 CET53628561.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:15.673157930 CET53628561.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:15.783667088 CET6285753192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:15.783745050 CET6285753192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:15.921291113 CET53628571.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:15.921338081 CET53628571.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:16.032141924 CET6285853192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:16.032223940 CET6285853192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:16.170213938 CET53628581.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:16.170229912 CET53628581.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:16.284017086 CET6285953192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:16.284079075 CET6285953192.168.2.51.1.1.1
                                                    Dec 20, 2024 19:22:16.423882008 CET53628591.1.1.1192.168.2.5
                                                    Dec 20, 2024 19:22:16.439136028 CET53628591.1.1.1192.168.2.5
                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 20, 2024 19:22:12.290247917 CET192.168.2.51.1.1.10x2d2fStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:12.290522099 CET192.168.2.51.1.1.10xe59dStandard query (0)httpbin.org28IN (0x0001)false
                                                    Dec 20, 2024 19:22:14.942513943 CET192.168.2.51.1.1.10xb2feStandard query (0)home.sevkx17vs.topA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:14.942627907 CET192.168.2.51.1.1.10x41b1Standard query (0)home.sevkx17vs.top28IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.281305075 CET192.168.2.51.1.1.10x514bStandard query (0)home.sevkx17vs.topA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.281305075 CET192.168.2.51.1.1.10x5d90Standard query (0)home.sevkx17vs.top28IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.531671047 CET192.168.2.51.1.1.10x90a1Standard query (0)home.sevkx17vs.topA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.531671047 CET192.168.2.51.1.1.10x590eStandard query (0)home.sevkx17vs.top28IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.783667088 CET192.168.2.51.1.1.10x5e00Standard query (0)home.sevkx17vs.topA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.783745050 CET192.168.2.51.1.1.10x961bStandard query (0)home.sevkx17vs.top28IN (0x0001)false
                                                    Dec 20, 2024 19:22:16.032141924 CET192.168.2.51.1.1.10xfd8Standard query (0)home.sevkx17vs.topA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:16.032223940 CET192.168.2.51.1.1.10x70c6Standard query (0)home.sevkx17vs.top28IN (0x0001)false
                                                    Dec 20, 2024 19:22:16.284017086 CET192.168.2.51.1.1.10xc86dStandard query (0)home.sevkx17vs.topA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:16.284079075 CET192.168.2.51.1.1.10xe7f5Standard query (0)home.sevkx17vs.top28IN (0x0001)false
                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 20, 2024 19:22:12.587848902 CET1.1.1.1192.168.2.50x2d2fNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:12.587848902 CET1.1.1.1192.168.2.50x2d2fNo error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.168756962 CET1.1.1.1192.168.2.50xb2feName error (3)home.sevkx17vs.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.168770075 CET1.1.1.1192.168.2.50x41b1Name error (3)home.sevkx17vs.topnonenone28IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.418998957 CET1.1.1.1192.168.2.50x514bName error (3)home.sevkx17vs.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.419015884 CET1.1.1.1192.168.2.50x5d90Name error (3)home.sevkx17vs.topnonenone28IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.670814991 CET1.1.1.1192.168.2.50x590eName error (3)home.sevkx17vs.topnonenone28IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.673157930 CET1.1.1.1192.168.2.50x90a1Name error (3)home.sevkx17vs.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.921291113 CET1.1.1.1192.168.2.50x5e00Name error (3)home.sevkx17vs.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:15.921338081 CET1.1.1.1192.168.2.50x961bName error (3)home.sevkx17vs.topnonenone28IN (0x0001)false
                                                    Dec 20, 2024 19:22:16.170213938 CET1.1.1.1192.168.2.50x70c6Name error (3)home.sevkx17vs.topnonenone28IN (0x0001)false
                                                    Dec 20, 2024 19:22:16.170229912 CET1.1.1.1192.168.2.50xfd8Name error (3)home.sevkx17vs.topnonenoneA (IP address)IN (0x0001)false
                                                    Dec 20, 2024 19:22:16.423882008 CET1.1.1.1192.168.2.50xe7f5Name error (3)home.sevkx17vs.topnonenone28IN (0x0001)false
                                                    Dec 20, 2024 19:22:16.439136028 CET1.1.1.1192.168.2.50xc86dName error (3)home.sevkx17vs.topnonenoneA (IP address)IN (0x0001)false
                                                    • httpbin.org
                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.54970434.226.108.1554432792C:\Users\user\Desktop\Set-up.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-20 18:22:14 UTC52OUTGET /ip HTTP/1.1
                                                    Host: httpbin.org
                                                    Accept: */*
                                                    2024-12-20 18:22:14 UTC224INHTTP/1.1 200 OK
                                                    Date: Fri, 20 Dec 2024 18:22:14 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 31
                                                    Connection: close
                                                    Server: gunicorn/19.9.0
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Credentials: true
                                                    2024-12-20 18:22:14 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                    Data Ascii: { "origin": "8.46.123.189"}


                                                    Click to jump to process

                                                    Click to jump to process

                                                    Click to dive into process behavior distribution

                                                    Click to jump to process

                                                    Target ID:0
                                                    Start time:13:22:11
                                                    Start date:20/12/2024
                                                    Path:C:\Users\user\Desktop\Set-up.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Set-up.exe"
                                                    Imagebase:0x380000
                                                    File size:7'894'016 bytes
                                                    MD5 hash:CF434586B9C7BE034528E12C545E0718
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    Target ID:4
                                                    Start time:13:22:16
                                                    Start date:20/12/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 944
                                                    Imagebase:0x530000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    No disassembly