Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe
Analysis ID: 1428462
MD5: 193692e1cf957eef7e6cf2f6bc74be86
SHA1: 9d1f849b57c96ca71f0f90c73de97fa912b691d7
SHA256: fcc22a367ed0a8d8de94f5159ab12c32606f97326b832eb47327b7707ba457a6
Tags: exe
Infos:

Detection

LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found pyInstaller with non standard icon
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Queries voltage information (via WMI often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a Chrome extension
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Windows Defender Exclusions Added - Registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
query blbeacon for getting browser version

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Glupteba Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Avira: detection malicious, Label: TR/AD.Nekark.sbdpe
Source: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe Avira: detection malicious, Label: TR/AD.Nekark.sbdpe
Found malware configuration
Source: 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}
Source: 00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nidoe.org/tmp/index.php", "http://sodez.ru/tmp/index.php", "http://uama.com.ua/tmp/index.php", "http://talesofpirates.net/tmp/index.php"]}
Source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.82dad0.1.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["5.42.65.50:33080"], "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe.3292.20.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop"], "Build id": "DIJQ6z--"}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\ImageGuide 3.1.33.66\ImageGuide 3.1.33.66.exe ReversingLabs: Detection: 48%
Source: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe ReversingLabs: Detection: 87%
Source: C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe ReversingLabs: Detection: 33%
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe ReversingLabs: Detection: 87%
Source: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\AdobeUpdaterV1.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\AdobeUpdaterV1.exe ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\grabber[1].exe ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\lumma1504[1].exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\123p[1].exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Space1.9_team[1].exe ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\lumma1504[1].exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\060[1].exe ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Default12_team[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[1].exe ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[2].exe ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\timeSync[1].exe ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\tQYsPom.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\DEC.exe ReversingLabs: Detection: 95%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe ReversingLabs: Detection: 21%
Yara detected Glupteba
Source: Yara match File source: 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xNcVS_VvZEHfTUaNtkua55mf.exe PID: 2140, type: MEMORYSTR
Machine Learning detection for dropped file
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\ImageGuide 3.1.33.66\ImageGuide 3.1.33.66.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: wifeplasterbakewis.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: mealplayerpreceodsju.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: bordersoarmanusjuw.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: suitcaseacanehalk.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: absentconvicsjawun.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: pushjellysingeywus.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: economicscreateojsu.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: entitlementappwo.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: stripmarrystresew.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String decryptor: DIJQ6z--
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: INSERT_KEY_HERE
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetProcAddress
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: LoadLibraryA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: lstrcatA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: OpenEventA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CreateEventA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CloseHandle
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Sleep
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetUserDefaultLangID
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: VirtualAllocExNuma
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: VirtualFree
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetSystemInfo
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: VirtualAlloc
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: HeapAlloc
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetComputerNameA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: lstrcpyA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetProcessHeap
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetCurrentProcess
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: lstrlenA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: ExitProcess
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GlobalMemoryStatusEx
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetSystemTime
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SystemTimeToFileTime
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: advapi32.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: gdi32.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: user32.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: crypt32.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: ntdll.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetUserNameA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CreateDCA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetDeviceCaps
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: ReleaseDC
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CryptStringToBinaryA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: sscanf
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: VMwareVMware
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: HAL9TH
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: JohnDoe
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: DISPLAY
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: %hu/%hu/%hu
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: http://185.172.128.23
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: /f993692117a3fda2.php
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: /8e6d9db21fb63946/
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: default9
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetEnvironmentVariableA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetFileAttributesA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GlobalLock
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: HeapFree
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetFileSize
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GlobalSize
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CreateToolhelp32Snapshot
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: IsWow64Process
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Process32Next
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetLocalTime
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: FreeLibrary
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetTimeZoneInformation
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetSystemPowerStatus
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetVolumeInformationA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetWindowsDirectoryA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Process32First
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetLocaleInfoA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetUserDefaultLocaleName
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetModuleFileNameA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: DeleteFileA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: FindNextFileA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: LocalFree
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: FindClose
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SetEnvironmentVariableA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: LocalAlloc
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetFileSizeEx
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: ReadFile
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SetFilePointer
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: WriteFile
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CreateFileA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: FindFirstFileA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CopyFileA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: VirtualProtect
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetLastError
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: lstrcpynA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: MultiByteToWideChar
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GlobalFree
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: WideCharToMultiByte
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GlobalAlloc
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: OpenProcess
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: TerminateProcess
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetCurrentProcessId
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: gdiplus.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: ole32.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: bcrypt.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: wininet.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: shlwapi.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: shell32.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: psapi.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: rstrtmgr.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CreateCompatibleBitmap
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SelectObject
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: BitBlt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: DeleteObject
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CreateCompatibleDC
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GdipGetImageEncodersSize
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GdipGetImageEncoders
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GdiplusStartup
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GdiplusShutdown
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GdipSaveImageToStream
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GdipDisposeImage
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GdipFree
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetHGlobalFromStream
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CreateStreamOnHGlobal
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CoUninitialize
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CoInitialize
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CoCreateInstance
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: BCryptDecrypt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: BCryptSetProperty
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: BCryptDestroyKey
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetWindowRect
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetDesktopWindow
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetDC
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CloseWindow
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: wsprintfA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: EnumDisplayDevicesA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetKeyboardLayoutList
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CharToOemW
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: wsprintfW
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: RegQueryValueExA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: RegEnumKeyExA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: RegOpenKeyExA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: RegCloseKey
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: RegEnumValueA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CryptBinaryToStringA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CryptUnprotectData
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SHGetFolderPathA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: ShellExecuteExA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: InternetOpenUrlA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: InternetConnectA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: InternetCloseHandle
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: InternetOpenA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: HttpSendRequestA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: HttpOpenRequestA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: InternetReadFile
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: InternetCrackUrlA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: StrCmpCA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: StrStrA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: StrCmpCW
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: PathMatchSpecA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: GetModuleFileNameExA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: RmStartSession
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: RmRegisterResources
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: RmGetList
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: RmEndSession
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: sqlite3_open
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: sqlite3_prepare_v2
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: sqlite3_step
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: sqlite3_column_text
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: sqlite3_finalize
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: sqlite3_close
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: sqlite3_column_bytes
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: sqlite3_column_blob
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: encrypted_key
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: PATH
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: NSS_Init
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: NSS_Shutdown
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: PK11_GetInternalKeySlot
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: PK11_FreeSlot
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: PK11_Authenticate
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: PK11SDR_Decrypt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: C:\ProgramData\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: browser:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: profile:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: url:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: login:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: password:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Opera
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: OperaGX
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Network
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: cookies
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: .txt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: TRUE
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: FALSE
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: autofill
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SELECT name, value FROM autofill
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: history
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: name:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: month:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: year:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: card:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Cookies
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Login Data
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Web Data
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: History
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: logins.json
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: formSubmitURL
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: usernameField
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: encryptedUsername
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: encryptedPassword
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: guid
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: cookies.sqlite
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: formhistory.sqlite
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: places.sqlite
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: plugins
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Local Extension Settings
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Sync Extension Settings
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: IndexedDB
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Opera Stable
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Opera GX Stable
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: CURRENT
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: chrome-extension_
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: _0.indexeddb.leveldb
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Local State
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: profiles.ini
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: chrome
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: opera
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: firefox
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: wallets
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: %08lX%04lX%lu
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: ProductName
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: ProcessorNameString
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: DisplayName
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: DisplayVersion
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Network Info:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - IP: IP?
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - Country: ISO?
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: System Summary:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - HWID:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - OS:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - Architecture:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - UserName:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - Computer Name:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - Local Time:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - UTC:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - Language:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - Keyboards:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - Laptop:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - Running Path:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - CPU:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - Threads:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - Cores:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - RAM:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - Display Resolution:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: - GPU:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: User Agents:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Installed Apps:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: All Users:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Current User:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Process List:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: system_info.txt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: freebl3.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: mozglue.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: msvcp140.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: nss3.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: softokn3.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: vcruntime140.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: \Temp\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: .exe
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: runas
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: open
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: /c start
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: %DESKTOP%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: %APPDATA%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: %LOCALAPPDATA%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: %USERPROFILE%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: %DOCUMENTS%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: %PROGRAMFILES%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: %PROGRAMFILES_86%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: %RECENT%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: *.lnk
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: files
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: \discord\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: \Local Storage\leveldb
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: \Telegram Desktop\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: key_datas
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: D877F783D5D3EF8C*
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: map*
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: A7FDF864FBC10B77*
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: A92DAA6EA6F891F2*
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: F8806DD0C461824F*
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Telegram
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: *.tox
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: *.ini
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Password
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: 00000001
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: 00000002
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: 00000003
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: 00000004
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: \Outlook\accounts.txt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Pidgin
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: \.purple\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: accounts.xml
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: dQw4w9WgXcQ
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: token:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Software\Valve\Steam
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: SteamPath
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: \config\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: ssfn*
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: config.vdf
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: DialogConfig.vdf
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: libraryfolders.vdf
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: loginusers.vdf
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: \Steam\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: sqlite3.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: browsers
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: done
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: soft
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: \Discord\tokens.txt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: https
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: POST
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: HTTP/1.1
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: Content-Disposition: form-data; name="
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: hwid
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: build
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: token
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: file_name
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: file
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: message
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack String decryptor: screenshot.jpg
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6987D9D0 CryptAcquireContextA,GetLastError, 7_2_6987D9D0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6987DBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8, 7_2_6987DBB0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6987DD20 CryptReleaseContext, 7_2_6987DD20
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6987DEE0 CryptReleaseContext, 7_2_6987DEE0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6987DE00 CryptGenRandom,__CxxThrowException@8, 7_2_6987DE00
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_698A35E0 CryptReleaseContext, 7_2_698A35E0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6987D7D4 CryptReleaseContext, 7_2_6987D7D4
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6987D7F0 CryptReleaseContext, 7_2_6987D7F0

Bitcoin Miner
barindex
Yara detected Glupteba
Source: Yara match File source: 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xNcVS_VvZEHfTUaNtkua55mf.exe PID: 2140, type: MEMORYSTR

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe Unpacked PE file: 44.2.cddvdrunner2333.exe.400000.0.unpack
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbu source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2671952511.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.0000000004B48000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2684621508.00000000698A4000.00000002.00000001.01000000.00000028.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: BdeHdCfg.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: symsrv.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000C7A000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb;Cn source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.0000000001680000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: r\x86\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2681483906.0000000006373000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Moq.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.PDB source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2586786006.0000000001338000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.0000000001680000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: uic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2586786006.0000000001338000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: BdeHdCfg.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: symsrv.pdbGCTL source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000C7A000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: \??\C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.PDB source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2681483906.0000000006373000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdbSHA256 source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: EfiGuardDxe.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: dbghelp.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: dbghelp.pdbGCTL source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: Loader.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdb source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2495725172.000002D546A80000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000266000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2485404914.000002D546AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2102749607.000002262FB02000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104110962.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104275365.000002262FAAD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104927446.000002262FFEF000.00000004.00000020.00020000.00000000.sdmp, B0SLNTT0ZbIxZcHr0SHBJGEz.exe, 00000010.00000000.2244173110.0000000000312000.00000002.00000001.01000000.0000000E.sdmp, B0SLNTT0ZbIxZcHr0SHBJGEz.exe, 00000010.00000002.2431895922.0000000000312000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: yyfBua979C0ZzSPnCxybIlhk.exe, yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654915199.0000000000ABB000.00000040.00000001.01000000.00000006.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000000.2240349104.00000000003F6000.00000080.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589762241.00000000003F6000.00000080.00000001.01000000.0000000A.sdmp
Source: Binary string: Moq.pdbSHA256@ source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbJn source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: changepk.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002247000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: CameraSettingsUIHost.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2495725172.000002D546A80000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000266000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2485404914.000002D546AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\projects\polly\src\Polly.Net45\obj\Release\net45\Polly.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbB# source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: C:\projects\polly\src\Polly.Net45\obj\Release\net45\Polly.pdbjz source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: mscorlib.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: .pdb.dbg source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: '(EfiGuardDxe.pdbx source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: AppInstallerBackgroundUpdate.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002143000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: change.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: AppInstallerBackgroundUpdate.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002143000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: c:\constructicon\builds\gfx\three\20.10\drivers\2d\dal\eeu\build\client\wNow64a\B_rel\atieclxx.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: changepk.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002247000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CameraSettingsUIHost.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.0000000004A79000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.0000000004C04000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2671952511.0000000005D8A000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: y\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb~~ source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: change.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp

Change of critical system settings
barindex
Adds extensions / path to Windows Defender exclusion list (Registry)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File opened: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File opened: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\ Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 7_2_05AB6940
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 7_2_05ABD588
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 7_2_05AB6939
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 7_2_05AB5565
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 7_2_05ABD480
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 7_2_05AB6C69
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 7_2_05ABD478
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 7_2_05AB6C70
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then jmp 05ABD06Ah 7_2_05ABCFB8
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then jmp 05ABD06Ah 7_2_05ABCFB0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 7_2_05AB6B60
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 7_2_05AB6B58
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 7_2_05AB36DC
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 7_2_05ABCED7
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 7_2_05AB6A48
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h 7_2_05AB6A50

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 172.67.196.94 443
Source: C:\Windows\explorer.exe Network Connect: 186.10.34.51 80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor URLs: absentconvicsjawun.shop
Source: Malware configuration extractor URLs: pushjellysingeywus.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: stripmarrystresew.shop
Source: Malware configuration extractor URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor URLs: absentconvicsjawun.shop
Source: Malware configuration extractor URLs: pushjellysingeywus.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: stripmarrystresew.shop
Source: Malware configuration extractor URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor URLs: absentconvicsjawun.shop
Source: Malware configuration extractor URLs: pushjellysingeywus.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: stripmarrystresew.shop
Source: Malware configuration extractor URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor URLs: absentconvicsjawun.shop
Source: Malware configuration extractor URLs: pushjellysingeywus.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: stripmarrystresew.shop
Source: Malware configuration extractor URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor URLs: absentconvicsjawun.shop
Source: Malware configuration extractor URLs: pushjellysingeywus.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: stripmarrystresew.shop
Source: Malware configuration extractor URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor URLs: absentconvicsjawun.shop
Source: Malware configuration extractor URLs: pushjellysingeywus.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: stripmarrystresew.shop
Source: Malware configuration extractor URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor URLs: absentconvicsjawun.shop
Source: Malware configuration extractor URLs: pushjellysingeywus.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: stripmarrystresew.shop
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199673019888
Source: Malware configuration extractor URLs: http://nidoe.org/tmp/index.php
Source: Malware configuration extractor URLs: http://sodez.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://uama.com.ua/tmp/index.php
Source: Malware configuration extractor URLs: http://talesofpirates.net/tmp/index.php
Source: Malware configuration extractor URLs: 5.42.65.50:33080
Creates HTML files with .exe extension (expired dropper behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: f4Y7IGUXRMqOH79zw7TPvsbX.exe.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: Gon5N1KYkyaNFzeeJDoj76Fi.exe.0.dr
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_0093E220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep, 6_2_0093E220
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp equals www.twitter.com (Twitter)
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp equals www.youtube.com (Youtube)
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://127.0.0.1:
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.203/dl.php
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.203/dl.php(
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.203/dl.php.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/dacha/rules.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/dacha/rules.exeL
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.139/dacha/rules.exem
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.253/lumma1504.exe
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.253/lumma1504.exen%$
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/api/flash.php
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/api/flash.php:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/api/flash.phpH
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/api/flash.phpV
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/api/flash.phpr
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/123p.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/123p.exeP
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/123p.exeV
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/123p.exef
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/page_error.jpeg
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/page_error.jpegF3
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/page_error.jpegb3
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/page_error.jpeghttp://5.42.66.10/download/page_error.pngC:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/page_error.png
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/page_error.png.
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/getimage12.php
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/getimage12.phpgs
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2169039039.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/retail.php
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/retail.php$
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/retail.php12.php
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/retail.phpings
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/retail.phpings&
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/retail.phpingsB
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/retail.phpom/0/6
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/retail.phpphp.php
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/retail.phpv
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/space.php
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/r
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/rIMa
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10:80/api/flash.php
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10:80/api/flash.php3
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10:80/api/flash.php51
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10:80/download/page_error.pngZZ
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/IsAliveResponse
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/IsAliveT
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StartResponse
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StartT
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopResponseR
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopT
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://ACVC.WPF.Service.WcfT
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp, OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp, OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2256931870.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2263550394.0000000002194000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://vovsoft.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139755953.000002262FA19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA00000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA0E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA1D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wikkt.com/forum/index.php
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wikkt.com/forum/index.phpF
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wikkt.com/forum/index.phpa
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108082037.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108180577.000002262FA3C000.00000004.00000020.00020000.00000000.sdmp, jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000000.2240084953.0000000000410000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://www.innosetup.com
Source: jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2256931870.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2263550394.0000000002194000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org).
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654714802.0000000000A35000.00000002.00000001.01000000.00000006.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589232742.00000000002FF000.00000002.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2411267986.0000000000E60000.00000004.00001000.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2596553439.0000000000D96000.00000040.00000001.01000000.00000016.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654714802.0000000000A35000.00000002.00000001.01000000.00000006.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2596553439.0000000000D96000.00000040.00000001.01000000.00000016.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDp
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://analytics.tiktok.com
Source: tNKXm3LImvO5in9OelWM8_lp.exe, 00000011.00000002.2302959218.000000000082D000.00000004.00000001.01000000.00000010.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.myip.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.myip.com/v
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.myip.com:443/ows
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262F9FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103595029.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aui-cdn.atlassian.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108775259.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108362466.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2116491415.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2113083438.000002262FA0C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2113464336.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2111124592.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2121711417.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aui-cdn.atlassia~(
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://baldurgatez.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exexe;2
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://baldurgatez.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe;2
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2112981350.000002262FA85000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA04000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108180577.000002262FA93000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168867567.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104775379.000002262FA8A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/8b0be658-c958-47a3-96e4-fc8e5fe7c5dc/downloads/dc50f97b-477f-
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exeT
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094479399.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org:80/superworkspacenb/gerge/downloads/grabber.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://c.574859385.xyz/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2121711417.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://c.574859385.xyz/525403/setup.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://c.574859385.xyz/6
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://carthewasher.net/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://carthewasher.net/ee45f9fcdced34e0430667992abd2d38/cad54ba5b0142
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103339004.000002262FA57000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103290439.000002262FA56000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7C6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103999098.000002262F9F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://carthewasher.net/ee45f9fcdced34e0430667992abd2d38/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ampproject.org
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262F9FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103595029.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cookielaw.org/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.syndication.twimg.com
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.goo
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513717785.0000000003783000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513717785.0000000003783000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513459274.0000000003796000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx1:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513596742.0000000003788000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx4
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxR4
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://connect.facebook.net
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52:~s
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52esI
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/l
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/t
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/~
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52z
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA00000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.vk.com
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513150367.00000000037A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/NavigationTiming/Overview.html#process
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513150367.00000000037A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/NavigationTiming/Overview.html#processing-model
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gigachadfanclub.org/ee45f9fcdced34e0430667992abd2d38/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: https://github.com/moq/moq4
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://googletagmanager.com
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E06000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654714802.0000000000A35000.00000002.00000001.01000000.00000006.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2596553439.0000000000D96000.00000040.00000001.01000000.00000016.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589232742.00000000002FF000.00000002.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2411267986.0000000000E60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/namehttps://ipgeolocation.io/:
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.000000000068A000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52c
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52w
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52c
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru/1BV4j7.mp4
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru/1BV4j7.mp4s%
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru/1pRXr7.txt
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru/1pRXr7.txtjs_
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru/1tqHh7.mp3
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru/P
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru/R
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru/_F
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru/s
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru:443/1BV4j7.mp4O
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru:443/1pRXr7.txt
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplis.ru:443/1tqHh7.mp3u
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/1nhuM4.js
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/1nhuM4.jsX
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org:443/1nhuM4.js
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://login.microsoftonline.com/crypto/rc4:
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.vk.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.vk.com/?act=login
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.vk.com/?act=logout&hash=df5be74fd1475c23cd&_origin=https%3A%2F%2Fvk.com&lrt=BDpxh3TFcr
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://management.azure.cominvalid
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://management.chinacloudapi.cnP224
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://management.core.chinacloudapi.cnchacha20poly1305:
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://management.core.usgovcloudapi.netGODEBUG
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://management.usgovcloudapi.nethttps://management.core.windows.net/edwards25519:
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://maps.googleapis.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://meet.crazyfigs.top/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://meet.crazyfigs.top/2
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://meet.crazyfigs.top/style/060.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://meet.crazyfigs.top/style/060.exep/0/6
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://meet.crazyfigs.top/style/060.exes.top/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://meet.crazyfigs.top:80/style/060.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://meet.crazyfigs.top:80/style/060.exe2$
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2113407483.000002262FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2110942258.000002262FA82000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2112684823.000002262FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108279479.000002262FA62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108740822.000002262FA82000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108180577.000002262FA61000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2115459164.000002262FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108397207.000002262FA80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com/525403/setup.exenet/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com:80/525403/setup.exen$
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513459274.0000000003796000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://page-error.com
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513150367.00000000037A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://page-error.com/performance/?license=$
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513679922.000000000379A000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513150367.00000000037A6000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513596742.0000000003788000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513642281.0000000003790000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://page-error.com/thankyou/?uuid=$
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513255238.0000000003787000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000378A000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513385608.0000000003790000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://page-error.comJ
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://palberryslicker.sbs/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://palberryslicker.sbs/lander/File_294/setup294.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://palberryslicker.sbs/r
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153658618.000002262F7EB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://papi.vk.com/pushsse/ruim
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513717785.0000000003783000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://platform.twitter.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://r.mradx.net
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262F9FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103595029.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262F9FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103595029.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513255238.0000000003787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://securepubads.g.doubleclick.net
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/css/al/base.7c74f023.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/css/al/common.1545e5c6.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/css/al/fonts_cnt.c7a76efe.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/css/al/fonts_utf.7fa94ada.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/css/al/ui_common.eebaf9c8.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/css/al/uncommon.6d51982c.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/css/al/vk_sans_display.5625d45f.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/css/al/vk_sans_display_faux.7d208ecb.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/css/al/vkui.43318ab6.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/css/fonts/VKSansDisplayDemiBoldFaux.v100.woff2
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/audioplayer-lib.89b663a3.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/audioplayer-lib.93b52d88.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/common.a525896b.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/react.759f82b6.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/state-management.c22f9f68.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/vkcom-kit-icons.826b9222.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/vkcom-kit.07cf1bad.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/vkcom-kit.fef2a97a.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/vkui.bce4c996.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/common_web.6a09f0e1.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/common_web.9d09fc5d.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/css_types.1bff1a5b.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/docs.20074c02.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/docs.93c768ea.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/error_monitoring.isolated.3df2967b.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/grip.0b3b493f.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/jobs_devtools_notification.14f96f02.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/likes.20074c02.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/likes.de4f3981.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/page_layout.7b5800c2.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/performance_observers.4d12f60f.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/polyfills.isolated.edaffb7b.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/raven_logger.ea0a2239.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/site_layout.20074c02.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/site_layout.4881c427.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/ui_common.20074c02.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/ui_common.88618847.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/unauthorized.20074c02.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/unauthorized.bf4667d7.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://st6-22.vk.com/dist/web/vk_sans_observer.fb28db65.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.vk.me
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stats.vk-portal.net
Source: M3c5GcarM7S9e4Fzg9fhkljA.exe, 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888
Source: M3c5GcarM7S9e4Fzg9fhkljA.exe, 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888ve74rMozilla/5.0
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA00000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sun6-21.userapi.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sun6-21.userapi.com/c236331/u5294803/docs/d24/3cad94b79c70/imgdrive_2_1.bmp?extra=KSt_51f-h8
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sun6-21.userapi.com/c909328/u5294803/docs/d12/eb1afcc538fd/PL_Clients.bmp?extra=iwYpYeMLSGBx
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sun6-21.userapi.com/p
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.000000000063E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.000000000063E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT%
Source: M3c5GcarM7S9e4Fzg9fhkljA.exe, 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp String found in binary or memory: https://t.me/irfail
Source: M3c5GcarM7S9e4Fzg9fhkljA.exe, 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp String found in binary or memory: https://t.me/irfailAt
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2514882020.0000000006797000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tagmanager.google.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telegram.org
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ton.twimg.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://translate.googleapis.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://triedchicken.net/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://triedchicken.net/&
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exebe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exes
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2628063256.00000000033B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://urn.to/r/sds_see
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F7CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139755953.000002262FA19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/Security
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/browser_reports?dest=default_reports
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139755953.000002262FA19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurK
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTKnt3
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/doc5294803_668512951?hash=uac9wbeb45bZZ2A4Vgx1xpUTavuZvoy56VWHrfJX9iH&dl=BnUuPvvpE2Gl
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139755953.000002262FA19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/doc5294803_668627934?hash=KOcSmbd2hjdTG4DLhdJgoCSrHOpCJeuTNRte86dnj0k&dl=iwW1iFTFzY3z
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139755953.000002262FA19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/r
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.ru
Source: jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2256931870.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2263550394.0000000002194000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://vovsoft.com/contact/
Source: jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2263550394.0000000002194000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://vovsoft.com/contact/.
Source: jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2256931870.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2263550394.0000000002194000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://vovsoft.com/newsletter/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262F9FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103368896.000002262FA12000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513717785.0000000003783000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513717785.0000000003783000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.c
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513255238.0000000003787000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.instagram.com
Source: yyfBua979C0ZzSPnCxybIlhk.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 8q5xyu0coQILTrboZdACo84I.exe, 0000000B.00000003.2643761852.000000002D1E0000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 8q5xyu0coQILTrboZdACo84I.exe, 0000000B.00000003.2643761852.000000002D1E0000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 8q5xyu0coQILTrboZdACo84I.exe, 0000000B.00000003.2643761852.000000002D1E0000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: https://www.security.us.panasonic.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://yastatic.net

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2710518558.0000000002DE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Installs a raw input device (often for capturing keystrokes)
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: RawInputListener: RegisterRawInputDevices() failed, quitting... memstr_b18b3860-e

E-Banking Fraud
barindex
Yara detected Glupteba
Source: Yara match File source: 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xNcVS_VvZEHfTUaNtkua55mf.exe PID: 2140, type: MEMORYSTR
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Tmp2BCA.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Tmp2BDA.tmp Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\060[1].exe entropy: 7.99834341189 Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe entropy: 7.99834341189 Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\setup[1].exe entropy: 7.99641413191 Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe entropy: 7.99641413191 Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\grabber[1].exe entropy: 7.99564568557 Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe entropy: 7.99564568557 Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\lumma1504[1].exe entropy: 7.99003010243 Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\Users\user\AppData\Local\Temp\heidi4Oj_OpvPYvao\bynA5XZaUopLU9g6Euj0.exe entropy: 7.99003010243 Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\AdobeUpdaterV1.exe entropy: 7.99003010243 Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe entropy: 7.99003010243 Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File created: C:\Users\user\AppData\Local\Temp\24PnbHlLLJLpyXRdC6DO5Pg.zip entropy: 7.99782759214 Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\lumma1504[1].exe entropy: 7.99003010243 Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe entropy: 7.99003010243 Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File created: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe entropy: 7.99003010243 Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\python38.dll entropy: 7.99191184235 Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard\_cffi.cp38-win_amd64.pyd entropy: 7.99362866091 Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000012.00000002.2709843696.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000012.00000002.2710983086.0000000002EA2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.2710518558.0000000002DE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe, type: DROPPED Matched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, Strings.cs Large array initialization: Strings: array initializer size 6160
PE file contains section with special chars
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: section name: .vmp(R
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: section name: .vmp(R
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: section name: .vmp(R
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr Static PE information: section name: .vmp(R
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: section name:
Source: Space1.9_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Space1.9_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Space1.9_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Space1.9_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr Static PE information: section name: .vmp(R
Uses powercfg.exe to modify the power settings
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Contains functionality to call native functions
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_05ABD590 NtUnmapViewOfSection, 7_2_05ABD590
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_05ABD58B NtUnmapViewOfSection, 7_2_05ABD58B
Creates files inside the system directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Windows\System32\GroupPolicy\gpt.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Windows\System32\GroupPolicy\Machine Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Windows\System32\GroupPolicy\User Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_0092C490 6_2_0092C490
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_0092BFC0 6_2_0092BFC0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_0095C800 6_2_0095C800
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00991830 6_2_00991830
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3186E 6_2_00C3186E
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C34077 6_2_00C34077
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00A1B84F 6_2_00A1B84F
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3A1DF 6_2_00C3A1DF
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00A1D9FE 6_2_00A1D9FE
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_0096C160 6_2_0096C160
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C322E8 6_2_00C322E8
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3328E 6_2_00C3328E
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C34A5A 6_2_00C34A5A
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_009A1A30 6_2_009A1A30
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_009A7270 6_2_009A7270
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_0096EB90 6_2_0096EB90
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00A05B90 6_2_00A05B90
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C32B8B 6_2_00C32B8B
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00A003D0 6_2_00A003D0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C32360 6_2_00C32360
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_0095FB60 6_2_0095FB60
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00A03B58 6_2_00A03B58
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_0099F360 6_2_0099F360
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00936490 6_2_00936490
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3B49D 6_2_00C3B49D
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00A16CC5 6_2_00A16CC5
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00922400 6_2_00922400
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3242B 6_2_00C3242B
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_009A3470 6_2_009A3470
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00A0959F 6_2_00A0959F
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C39D89 6_2_00C39D89
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C39555 6_2_00C39555
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3350A 6_2_00C3350A
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_009906C0 6_2_009906C0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_009A3EF0 6_2_009A3EF0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00938EE0 6_2_00938EE0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00922600 6_2_00922600
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00992630 6_2_00992630
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C35FB7 6_2_00C35FB7
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_009A2FE0 6_2_009A2FE0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C39751 6_2_00C39751
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6984B6B0 7_2_6984B6B0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69864970 7_2_69864970
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69890B89 7_2_69890B89
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69828B30 7_2_69828B30
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69864AC0 7_2_69864AC0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69842D70 7_2_69842D70
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6989AC29 7_2_6989AC29
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69874EE0 7_2_69874EE0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6983A0C0 7_2_6983A0C0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_698763B0 7_2_698763B0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69882310 7_2_69882310
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6989A54D 7_2_6989A54D
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69864550 7_2_69864550
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6982C7B0 7_2_6982C7B0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6982A7E0 7_2_6982A7E0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69826650 7_2_69826650
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6989B964 7_2_6989B964
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_698758D7 7_2_698758D7
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_698758D5 7_2_698758D5
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69875830 7_2_69875830
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69899AAB 7_2_69899AAB
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69875DD0 7_2_69875DD0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69895DD2 7_2_69895DD2
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69863C90 7_2_69863C90
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69881CA0 7_2_69881CA0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69899FFC 7_2_69899FFC
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6989BFF1 7_2_6989BFF1
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69875EB9 7_2_69875EB9
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69863E50 7_2_69863E50
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69875050 7_2_69875050
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69863260 7_2_69863260
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69875274 7_2_69875274
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_69863460 7_2_69863460
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_01A6A9B8 7_2_01A6A9B8
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_01A69890 7_2_01A69890
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_01A6CA28 7_2_01A6CA28
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_01A61120 7_2_01A61120
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_01A61110 7_2_01A61110
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_01A68368 7_2_01A68368
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_01A60D60 7_2_01A60D60
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_01A60D70 7_2_01A60D70
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_01A66F59 7_2_01A66F59
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_05AB0040 7_2_05AB0040
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_05AB31B0 7_2_05AB31B0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_05AB2E58 7_2_05AB2E58
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_05B90EB3 7_2_05B90EB3
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_05B926F8 7_2_05B926F8
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_05B90930 7_2_05B90930
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_05B926DC 7_2_05B926DC
Found potential string decryption / allocating functions
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: String function: 69889B35 appears 141 times
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: String function: 6988D520 appears 31 times
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: String function: 698890D8 appears 51 times
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: Resource name: AUUPG type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
PE file contains more sections than normal
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr Static PE information: Number of sections : 14 > 10
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr Static PE information: Number of sections : 14 > 10
Source: Space1.9_team[1].exe.0.dr Static PE information: Number of sections : 14 > 10
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr Static PE information: Number of sections : 14 > 10
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe.0.dr Static PE information: Number of sections : 12 > 10
Source: Default12_team[1].exe.0.dr Static PE information: Number of sections : 14 > 10
Source: Retailer_prog[1].exe.0.dr Static PE information: Number of sections : 14 > 10
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: Number of sections : 15 > 10
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139567155.000002262FC00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename7zS.sfx.exe, vs SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000000.2030166989.00007FF77F8DE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCookComputing.XmlRpcV2.dll8 vs SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139278820.000002262FE9B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename7zS.sfx.exe, vs SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCookComputing.XmlRpcV2.dll8 vs SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe
Yara signature match
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000012.00000002.2709843696.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000012.00000002.2710983086.0000000002EA2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.2710518558.0000000002DE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe, type: DROPPED Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
query blbeacon for getting browser version
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Key value queried: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon version Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Key value queried: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon version Jump to behavior
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: Section: ZLIB complexity 0.9997554064239332
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: Section: ZLIB complexity 1.000469355620155
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: Section: ZLIB complexity 0.9892578125
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: Section: ZLIB complexity 0.9994283536585366
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: Section: .reloc ZLIB complexity 1.5
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, Strings.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, e7EuwtGMnIvwifDxGE0.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@214/396@0/31
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3424:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_12
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2412:120:WilError_03
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1288:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe File created: C:\Users\user\AppData\Local\Temp\adobequx8jdqZzTMI Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe File opened: C:\Windows\system32\3743bfe92965e651c86de88a577beac623f12834a30d8c2ced3f982234136822AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File read: C:\Windows\System32\GroupPolicy\gpt.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589232742.00000000002FF000.00000002.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2411267986.0000000000E60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654714802.0000000000A35000.00000002.00000001.01000000.00000006.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589232742.00000000002FF000.00000002.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2411267986.0000000000E60000.00000004.00001000.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2596553439.0000000000D96000.00000040.00000001.01000000.00000016.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654714802.0000000000A35000.00000002.00000001.01000000.00000006.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2596553439.0000000000D96000.00000040.00000001.01000000.00000016.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2072366841.000002262F735000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2072325699.000002262DA29000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2471077165.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2471737073.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2472044878.0000000000F85000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2469332249.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2470572740.0000000000F85000.00000004.00000020.00020000.00000000.sdmp, 8q5xyu0coQILTrboZdACo84I.exe, 0000000B.00000003.2489340445.000000002106E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe ReversingLabs: Detection: 21%
Source: yyfBua979C0ZzSPnCxybIlhk.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /S .\TaFD.XRA
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Process created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe .\Install.exe /dlhwdidkpGO "525403" /S
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Process created: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp "C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp" /SL4 $B0024 "C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe" 3625196 52224
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Process created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBGPQMHF"
Source: C:\Windows\System32\powercfg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process created: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe "C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -i
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Process created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe .\Install.exe /dlhwdidkpGO "525403" /S Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Process created: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp "C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp" /SL4 $B0024 "C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe" 3625196 52224
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /S .\TaFD.XRA
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBGPQMHF"
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Process created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process created: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe "C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: gpedit.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: dssec.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: dsuiext.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: authz.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fhsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msidle.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fhcfg.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: efsutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncasvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: httpprxp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wpdbusenum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: portabledeviceapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: portabledeviceconnectapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: gpedit.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: dssec.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: dsuiext.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: authz.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: msvcr100.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: mozglue.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: wsock32.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: msvcp140.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: linkinfo.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: msvcr100.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: winmm.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: powrprof.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: umpdc.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: winsta.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: sxs.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: amsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: acgenral.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: winmm.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: samcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: msacm32.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: dwmapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: aclayers.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: sfc.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: msvcr100.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: vaultcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: vaultcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: dxgidebug.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: dwmapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: riched20.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: usp10.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: msls31.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: textshaping.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: textinputframework.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: pcacli.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Section loaded: msvcr100.dll
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Section loaded: winmm.dll
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Section loaded: powrprof.dll
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Section loaded: umpdc.dll
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File written: C:\Windows\System32\GroupPolicy\gpt.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Window found: window name: TMainForm
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static file information: File size 4008384 > 1048576
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: Raw size of .vmp(R is bigger than: 0x100000 < 0x39d000
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbu source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2671952511.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.0000000004B48000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2684621508.00000000698A4000.00000002.00000001.01000000.00000028.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: BdeHdCfg.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: symsrv.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000C7A000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb;Cn source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.0000000001680000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: r\x86\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2681483906.0000000006373000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Moq.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.PDB source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2586786006.0000000001338000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.0000000001680000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: uic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2586786006.0000000001338000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: BdeHdCfg.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: symsrv.pdbGCTL source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000C7A000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: \??\C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.PDB source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2681483906.0000000006373000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdbSHA256 source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: EfiGuardDxe.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: dbghelp.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: dbghelp.pdbGCTL source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: Loader.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdb source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2495725172.000002D546A80000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000266000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2485404914.000002D546AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2102749607.000002262FB02000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104110962.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104275365.000002262FAAD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104927446.000002262FFEF000.00000004.00000020.00020000.00000000.sdmp, B0SLNTT0ZbIxZcHr0SHBJGEz.exe, 00000010.00000000.2244173110.0000000000312000.00000002.00000001.01000000.0000000E.sdmp, B0SLNTT0ZbIxZcHr0SHBJGEz.exe, 00000010.00000002.2431895922.0000000000312000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: yyfBua979C0ZzSPnCxybIlhk.exe, yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654915199.0000000000ABB000.00000040.00000001.01000000.00000006.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000000.2240349104.00000000003F6000.00000080.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589762241.00000000003F6000.00000080.00000001.01000000.0000000A.sdmp
Source: Binary string: Moq.pdbSHA256@ source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbJn source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: changepk.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002247000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: CameraSettingsUIHost.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2495725172.000002D546A80000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000266000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2485404914.000002D546AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\projects\polly\src\Polly.Net45\obj\Release\net45\Polly.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbB# source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: C:\projects\polly\src\Polly.Net45\obj\Release\net45\Polly.pdbjz source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: mscorlib.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: .pdb.dbg source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: '(EfiGuardDxe.pdbx source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: AppInstallerBackgroundUpdate.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002143000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: change.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: AppInstallerBackgroundUpdate.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002143000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: c:\constructicon\builds\gfx\three\20.10\drivers\2d\dal\eeu\build\client\wNow64a\B_rel\atieclxx.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: changepk.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002247000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CameraSettingsUIHost.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.0000000004A79000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.0000000004C04000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2671952511.0000000005D8A000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: y\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb~~ source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: change.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Unpacked PE file: 18.2.wjwNFr_3XWBVO8HOPBPzLGWO.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe Unpacked PE file: 44.2.cddvdrunner2333.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.rview4:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe Unpacked PE file: 44.2.cddvdrunner2333.exe.400000.0.unpack
.NET source code contains method to dynamically call methods (often used by packers)
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, e7EuwtGMnIvwifDxGE0.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, nbHRr4wrm68DvPGr2G8.cs .Net Code: gIHi6nZTWj
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, nbHRr4wrm68DvPGr2G8.cs .Net Code: H0XvE6l8vb
Binary contains a suspicious time stamp
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe.0.dr Static PE information: 0x81E836EB [Mon Jan 24 10:54:35 2039 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00938BB0 LoadLibraryA,GetProcAddress, 6_2_00938BB0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp(R
File is packed with WinRar
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_4004000
PE file contains an invalid checksum
Source: 7725eaa6592c80f8124e769b4e8a07f7[1].exe.0.dr Static PE information: real checksum: 0x42e5b5 should be: 0x42d3e3
Source: setup294[1].exe.0.dr Static PE information: real checksum: 0x0 should be: 0x21765e
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x6b3228
Source: xNcVS_VvZEHfTUaNtkua55mf.exe.0.dr Static PE information: real checksum: 0x42e5b5 should be: 0x432f23
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x4a74cf
Source: setup[1].exe.0.dr Static PE information: real checksum: 0x0 should be: 0x6b3228
Source: B0SLNTT0ZbIxZcHr0SHBJGEz.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x21765e
Source: f5PK0Fmcntr6Bz8d571_sPMM.exe.0.dr Static PE information: real checksum: 0x42e5b5 should be: 0x42d3e3
Source: jToGBYVMqv5v7FLLCc3PnzZj.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x3d3d2c
Source: 060[1].exe.0.dr Static PE information: real checksum: 0x0 should be: 0x3d3d2c
Source: cad54ba5b01423b1af8ec10ab5719d97[1].exe.0.dr Static PE information: real checksum: 0x42e5b5 should be: 0x432f23
Source: M3c5GcarM7S9e4Fzg9fhkljA.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x644d0
Source: tNKXm3LImvO5in9OelWM8_lp.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x899e4
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: section name: _RDATA
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: section name: .vmp(R
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: section name: .themida
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: section name: .vmp(R
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: section name: .vmp(R
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Static PE information: section name: .vmp(R
Source: setup294[1].exe.0.dr Static PE information: section name: .didat
Source: B0SLNTT0ZbIxZcHr0SHBJGEz.exe.0.dr Static PE information: section name: .didat
Source: setup[1].exe.0.dr Static PE information: section name: .sxdata
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe.0.dr Static PE information: section name: .sxdata
Source: Default12_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr Static PE information: section name: .themida
Source: Default12_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr Static PE information: section name: .themida
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr Static PE information: section name: .themida
Source: Retailer_prog[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr Static PE information: section name: .themida
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr Static PE information: section name: .vmp(R
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe.0.dr Static PE information: section name: .xdata
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: section name: .themida
Source: 123p[1].exe.0.dr Static PE information: section name: .00cfg
Source: 123p[1].exe.0.dr Static PE information: section name: .text0
Source: 123p[1].exe.0.dr Static PE information: section name: .text1
Source: 123p[1].exe.0.dr Static PE information: section name: .text2
Source: Space1.9_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Space1.9_team[1].exe.0.dr Static PE information: section name: .themida
Source: Space1.9_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Space1.9_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: Space1.9_team[1].exe.0.dr Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr Static PE information: section name: .themida
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr Static PE information: section name: .vmp(R
Source: GDL7jRat1qTWaJDTi_iESGFr.exe.0.dr Static PE information: section name: .00cfg
Source: GDL7jRat1qTWaJDTi_iESGFr.exe.0.dr Static PE information: section name: .text0
Source: GDL7jRat1qTWaJDTi_iESGFr.exe.0.dr Static PE information: section name: .text1
Source: GDL7jRat1qTWaJDTi_iESGFr.exe.0.dr Static PE information: section name: .text2
Source: grabber[1].exe.0.dr Static PE information: section name: _RDATA
Source: Honz_MBQI6vCkcbyCN3yB4rh.exe.0.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3A8CC push ebp; mov dword ptr [esp], eax 6_2_00E1412D
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3A8CC push edi; mov dword ptr [esp], ebp 6_2_00E1416B
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3A8CC push 3B40FFB0h; mov dword ptr [esp], ebp 6_2_00E141D6
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3A8CC push eax; mov dword ptr [esp], edi 6_2_00E141EB
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C340DD push 7FB76899h; mov dword ptr [esp], esp 6_2_00E2399F
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C340DD push edx; mov dword ptr [esp], edi 6_2_00E239BB
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C340DD push 725129A4h; mov dword ptr [esp], esp 6_2_00E239E1
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C340DD push 6BD64571h; mov dword ptr [esp], edi 6_2_00E23A4F
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C340DD push 5CD7A313h; mov dword ptr [esp], eax 6_2_00E23A83
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C340DD push edx; mov dword ptr [esp], edi 6_2_00E23B4E
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C340DD push eax; mov dword ptr [esp], ebp 6_2_00E23B7B
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3B0E6 push edi; mov dword ptr [esp], eax 6_2_00E26AB8
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3B0E6 push eax; mov dword ptr [esp], ebp 6_2_00E26BC3
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3908B push ecx; mov dword ptr [esp], edx 6_2_00E19021
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3908B push ebx; mov dword ptr [esp], eax 6_2_00E19044
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3908B push eax; mov dword ptr [esp], 194A00EBh 6_2_00E19057
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3908B push edi; mov dword ptr [esp], 00D6AF5Bh 6_2_00E19121
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3908B push 4A09B8EBh; mov dword ptr [esp], eax 6_2_00E19170
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C330BF push edi; mov dword ptr [esp], edx 6_2_00E16F99
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C330BF push 0242F1AFh; mov dword ptr [esp], ebx 6_2_00E16FCF
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C330BF push 176328ABh; mov dword ptr [esp], edi 6_2_00E16FE7
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C330BF push esi; mov dword ptr [esp], 5BB7B8A1h 6_2_00E1708F
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C330BF push 58BB0EE8h; mov dword ptr [esp], ecx 6_2_00E170B6
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C330BF push ebx; mov dword ptr [esp], edx 6_2_00E1712C
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3186E push 212322F7h; mov dword ptr [esp], eax 6_2_00E27B63
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3186E push esi; mov dword ptr [esp], ebp 6_2_00E27BC7
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C3186E push 76A7464Dh; mov dword ptr [esp], edx 6_2_00E27C23
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C34077 push ebp; mov dword ptr [esp], edi 6_2_00E1D8CB
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C34077 push ecx; mov dword ptr [esp], ebp 6_2_00E1D90B
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C34077 push edx; mov dword ptr [esp], 000AABD3h 6_2_00E1D97B
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00C34077 push 0E20700Ch; mov dword ptr [esp], edx 6_2_00E1D9C2
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr Static PE information: section name: entropy: 7.999611881196484
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, nbHRr4wrm68DvPGr2G8.cs High entropy of concatenated method names: 'tm3JNKOfeW', 'dmaJ2LKJPv', 'z6oJOGdAkB', 'rGNJsT4K1w', 'hqWJQRmSLQ', 'kp6JCL917j', 'QOwJYYrNj7', 'Lj9w2n13yO', 'eJ2J8wCEuG', 'CU0JLqixeJ'
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, e7EuwtGMnIvwifDxGE0.cs High entropy of concatenated method names: 'nwZuVFQvkC', 'g38PJ8K3c0', 'fpOulNOay4', 'tvNu1NQNXT', 'VZauNxh8gy', 'fCfu2lbAVZ', 'R1aBWr0WHY', 'L2UGSMfnEw', 'SQsGkNL33N', 'f5VGz55rr8'

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Jump to dropped file
Found pyInstaller with non standard icon
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Process created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe
Installs new ROOT certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\123p[1].exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\BdeHdCfg.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\lumma1504[1].exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_elementtree.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard\backend_c.cp38-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cad54ba5b01423b1af8ec10ab5719d97[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\python3.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32trace.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe File created: C:\Users\user\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\tQYsPom.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe File created: C:\ProgramData\ImageGuide 3.1.33.66\ImageGuide 3.1.33.66.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\CameraSettingsUIHost.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe File created: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\libffi-7.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin\win32ui.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\exe\upx.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer\md__mypyc.cp38-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32security.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\VCRUNTIME140_1.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\MSVCP140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\CD-DVD-Runner\libssl-1_1.dll (copy) Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin\mfc140u.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_socket.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32net.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Space1.9_team[1].exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\change.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\CD-DVD-Runner\ssleay32.dll (copy) Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\CD-DVD-Runner\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\2eb29b48[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\grabber[1].exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe File created: C:\Users\user\AppData\Local\Temp\TaFd.XRA Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32\pythoncom38.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\changepk.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\setup[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[1].exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\_win32sysloader.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File created: C:\Users\user\AppData\Local\Temp\heidi4Oj_OpvPYvao\p508E0L2OxcFz21C_cBt.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Default12_team[1].exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\select.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32wnet.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[2].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File created: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\python38.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\exe\netconn_properties.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\Users\user\AppData\Local\Temp\heidi4Oj_OpvPYvao\bynA5XZaUopLU9g6Euj0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\psutil\_psutil_windows.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\rules[1].exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\CD-DVD-Runner\is-3TV13.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\7725eaa6592c80f8124e769b4e8a07f7[1].exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32\pywintypes38.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32api.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer\md.cp38-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\exe\registers.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard\_cffi.cp38-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\CD-DVD-Runner\is-0MI7C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\CD-DVD-Runner\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\AppInstallerBackgroundUpdate.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe File created: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\AdobeUpdaterV1.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\setup294[1].exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_queue.pyd Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqln[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\AdobeUpdaterV1.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\CD-DVD-Runner\is-FD6NC.tmp Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\DEC.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\lumma1504[1].exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\timeSync[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\fcegbwt Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\060[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp File created: C:\Users\user\AppData\Local\CD-DVD-Runner\is-3KPDG.tmp Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\atieclxx.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File created: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe File created: C:\ProgramData\ImageGuide 3.1.33.66\ImageGuide 3.1.33.66.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File created: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe File created: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File created: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe File created: C:\Users\user\AppData\Local\Temp\TaFd.XRA Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\fcegbwt Jump to dropped file
Installs a Chrome extension
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\128.png Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\manifest.json Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\performance.js Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\popup.css Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\popup.html Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\popup.js Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\worker.js Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\_metadata Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\_metadata\verified_contents.json Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings Jump to behavior

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Window searched: window name: RegmonClass
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Creates or modifies windows services
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBGPQMHF"

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\fcegbwt:Zone.Identifier read attributes | delete
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Memory written: PID: 1576 base: 7FF8C8A50008 value: E9 EB D9 E9 FF
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Memory written: PID: 1576 base: 7FF8C88ED9F0 value: E9 20 26 16 00
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_009A1A30 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_009A1A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Fb9COhEBuDNRhtMnCgGo2QiL.exe PID: 4068, type: MEMORYSTR
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Found API chain indicative of sandbox detection
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Stalling execution: Execution stalls by calling Sleep
Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Fan
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PortConnector
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_Slot
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_NumericSensor
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_Sensor
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_TemperatureSensor
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PerfFormattedData_Counters_ThermalZoneInformation
Queries voltage information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_VoltageSensor
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wjwNFr_3XWBVO8HOPBPzLGWO.exe, 00000012.00000002.2710664530.0000000002E9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Source: M3c5GcarM7S9e4Fzg9fhkljA.exe, 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Special instruction interceptor: First address: 7FF77F1DCDCA instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Special instruction interceptor: First address: 4F3339 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Special instruction interceptor: First address: F3E827 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Special instruction interceptor: First address: 576957 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Special instruction interceptor: First address: BCF9B7 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Memory allocated: 1A60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Memory allocated: 33B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Memory allocated: 30E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 1510000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2FB0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 4FB0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 6_2_0097D9F0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 1267
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 452
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\BdeHdCfg.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\lumma1504[1].exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_elementtree.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard\backend_c.cp38-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32trace.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\python3.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\CameraSettingsUIHost.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin\win32ui.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\exe\upx.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer\md__mypyc.cp38-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32security.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin\mfc140u.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_socket.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32net.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Dropped PE file which has not been started: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\ssleay32.dll (copy) Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\change.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32\pythoncom38.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\TaFd.XRA Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\changepk.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\_win32sysloader.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32wnet.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\select.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Dropped PE file which has not been started: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\python38.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\exe\netconn_properties.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidi4Oj_OpvPYvao\bynA5XZaUopLU9g6Euj0.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\psutil\_psutil_windows.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\is-3TV13.tmp Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32api.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32\pywintypes38.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer\md.cp38-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard\_cffi.cp38-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\exe\registers.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\is-0MI7C.tmp Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\AppInstallerBackgroundUpdate.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_queue.pyd Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqln[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\AdobeUpdaterV1.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\is-FD6NC.tmp Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DEC.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\lumma1504[1].exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\is-3KPDG.tmp Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\atieclxx.exe Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe TID: 6536 Thread sleep count: 286 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe TID: 6536 Thread sleep time: -57200s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe TID: 4308 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe TID: 4616 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe TID: 5696 Thread sleep count: 134 > 30 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe TID: 1568 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe TID: 2068 Thread sleep count: 58 > 30
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe TID: 2068 Thread sleep count: 60 > 30
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe TID: 2068 Thread sleep count: 61 > 30
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe TID: 408 Thread sleep count: 122 > 30
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe TID: 408 Thread sleep count: 224 > 30
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe TID: 4580 Thread sleep count: 41 > 30
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe TID: 408 Thread sleep count: 111 > 30
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe TID: 2300 Thread sleep count: 45 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7864 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7864 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2928 Thread sleep time: -922337203685477s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File opened: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File opened: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\ Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.0000000000698000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: svchost.exe, 00000004.00000003.2043499640.000001FA30845000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2513974085.0000000006AB4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.000000000068A000.00000004.00000020.00020000.00000000.sdmp, yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe, 0000000F.00000003.2444818155.0000000001321000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2648077707.000002D501448000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: rvzZmTKhzLAk54H0OO5fg4xv.exe, 0000000E.00000003.2432316204.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}i
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: rvzZmTKhzLAk54H0OO5fg4xv.exe, 0000000E.00000003.2432316204.0000000002DB2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}(
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2602826536.0000000006AC2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp Binary or memory string: main.isRunningInsideVMWare
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000003.2591934723.00000000006A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000002.00000002.2415447370.000001FDBA202000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.000000000068A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: o\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&+
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe System information queried: CodeIntegrityInformation
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Open window title or class name: regmonclass
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Open window title or class name: ollydbg
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Open window title or class name: filemonclass
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6988B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_6988B144
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_00938BB0 LoadLibraryA,GetProcAddress, 6_2_00938BB0
Contains functionality to read the PEB
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_0097D9F0 mov eax, dword ptr fs:[00000030h] 6_2_0097D9F0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_0097D9F0 mov eax, dword ptr fs:[00000030h] 6_2_0097D9F0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_0093AB90 mov eax, dword ptr fs:[00000030h] 6_2_0093AB90
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_009360B0 mov ecx, dword ptr fs:[00000030h] 6_2_009360B0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_009346B0 mov eax, dword ptr fs:[00000030h] 6_2_009346B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_009294C0 OutputDebugStringA,GetModuleHandleA,GetProcAddress,GetProcessHeap,HeapAlloc,HeapFree,HeapAlloc,HeapFree, 6_2_009294C0
Enables debug privileges
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Process token adjusted: Debug
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Process token adjusted: Debug
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6988B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_6988B144
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6988948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_6988948B
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: fcegbwt.48.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 172.67.196.94 443
Source: C:\Windows\explorer.exe Network Connect: 186.10.34.51 80
Allocates memory in foreign processes
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2530000 protect: page execute and read and write
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Thread created: C:\Windows\explorer.exe EIP: 31819D0
Disables Windows Defender (deletes autostart)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtQuerySystemInformation: Indirect: 0x7FF77F3C4DA5 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtSetInformationThread: Indirect: 0x7FF77F42E2A5 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtQueryInformationProcess: Indirect: 0x7FF77F41DA6B Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe NtProtectVirtualMemory: Direct from: 0x141036FB5
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe NtProtectVirtualMemory: Direct from: 0x140FE889D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtProtectVirtualMemory: Direct from: 0x7FF77F5BD6CC Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe NtProtectVirtualMemory: Direct from: 0x1416CF1D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtProtectVirtualMemory: Direct from: 0x7FF77F62EF94 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe NtProtectVirtualMemory: Indirect: 0x140F595B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtProtectVirtualMemory: Direct from: 0x7FF77F877A52 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe NtMapViewOfSection: Direct from: 0x14100CB88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtProtectVirtualMemory: Direct from: 0x7FF77F61D9A5 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtProtectVirtualMemory: Direct from: 0x7FF77F7D87EC Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe NtProtectVirtualMemory: Direct from: 0x1416AD85D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtProtectVirtualMemory: Direct from: 0x7FF77F6310E6 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtProtectVirtualMemory: Direct from: 0x7FF77F548F53 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtProtectVirtualMemory: Direct from: 0x7FF77F7D726F Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtProtectVirtualMemory: Direct from: 0x7FF77F5B98FD Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe NtOpenFile: Direct from: 0x140FBB569
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtProtectVirtualMemory: Direct from: 0x7FF77F7D86D9 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe NtProtectVirtualMemory: Direct from: 0x14102BFF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtQueryInformationProcess: Indirect: 0x7FF77F41DB99 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtProtectVirtualMemory: Direct from: 0x7FF77F7B8033 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe NtProtectVirtualMemory: Direct from: 0x141037F5D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe NtProtectVirtualMemory: Direct from: 0x7FF77F5522E2 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe NtProtectVirtualMemory: Direct from: 0x141019C6D
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe NtProtectVirtualMemory: Direct from: 0x141699636
Injects a PE file into a foreign processes
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2530000 value starts with: 4D5A
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
LummaC encrypted strings found
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: wifeplasterbakewis.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: mealplayerpreceodsju.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: bordersoarmanusjuw.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: suitcaseacanehalk.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: absentconvicsjawun.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: pushjellysingeywus.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: economicscreateojsu.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: entitlementappwo.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stripmarrystresew.shop
Maps a DLL or memory area into another process
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read
Sample uses process hollowing technique
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 464000 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4C0000 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EC7008
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2530000
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26F4008
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 642000
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B2E008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /S .\TaFD.XRA
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Process created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_698884B0 cpuid 7_2_698884B0
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\certifi VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\lockfile VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\ucrtbase.dll VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_ctypes.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_bz2.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_lzma.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\nyv8h1dp VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\tmpx_3rmj6g VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32\pywintypes38.dll VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32\pythoncom38.dll VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32api.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\tmpx_3rmj6g VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\tmpx_3rmj6g\gen_py\__init__.py VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\tmpx_3rmj6g\gen_py\dicts.dat VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_socket.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\select.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\psutil VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\psutil VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\psutil VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\psutil\_psutil_windows.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32net.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32security.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_hashlib.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_ssl.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard\backend_c.cp38-win_amd64.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_queue.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer\md.cp38-win_amd64.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer\md__mypyc.cp38-win_amd64.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\unicodedata.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe Code function: 6_2_009FC84D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_009FC84D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender real time protection (registry)
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Registry value created: Exclusions_Extensions 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiSpyware 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableRoutinelyTakingAction 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableBehaviorMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableOnAccessProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableScanOnRealtimeEnable 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRawWriteNotification 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiSpyware 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableRoutinelyTakingAction 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Registry value created: Exclusions_Extensions 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableBehaviorMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableOnAccessProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableScanOnRealtimeEnable 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRawWriteNotification 1 Jump to behavior
Exclude list of file types from scheduled, custom, and real-time scanning
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe Registry value created: Exclusions_Extensions 1 Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe Registry value created: Exclusions_Extensions 1 Jump to behavior
Modifies Group Policy settings
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe File written: C:\Windows\System32\GroupPolicy\gpt.ini Jump to behavior
Modifies power options to not sleep / hibernate
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected Glupteba
Source: Yara match File source: 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xNcVS_VvZEHfTUaNtkua55mf.exe PID: 2140, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Mars stealer
Source: Yara match File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.2314453573.0000000000B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2634159423.000000000452B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.82dad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.82dad0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2634159423.000000000452B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2302959218.000000000082D000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tNKXm3LImvO5in9OelWM8_lp.exe PID: 1628, type: MEMORYSTR
Yara detected RisePro Stealer
Source: Yara match File source: 6.2.yyfBua979C0ZzSPnCxybIlhk.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.azloBsQlDmB56PqIarSd7g7V.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000003.2518467991.0000000006B38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2518348325.0000000006AC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2602141465.000000000671F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yyfBua979C0ZzSPnCxybIlhk.exe PID: 6776, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\24PnbHlLLJLpyXRdC6DO5Pg.zip, type: DROPPED
Yara detected SmokeLoader
Source: Yara match File source: 00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2710518558.0000000002DE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fedad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fedad0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2314453573.0000000000B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: M3c5GcarM7S9e4Fzg9fhkljA.exe PID: 1272, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe, type: DROPPED
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\backups\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Remote Access Functionality
barindex
Yara detected Glupteba
Source: Yara match File source: 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xNcVS_VvZEHfTUaNtkua55mf.exe PID: 2140, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Mars stealer
Source: Yara match File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.2314453573.0000000000B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2634159423.000000000452B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.82dad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.82dad0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2634159423.000000000452B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2302959218.000000000082D000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tNKXm3LImvO5in9OelWM8_lp.exe PID: 1628, type: MEMORYSTR
Yara detected RisePro Stealer
Source: Yara match File source: 6.2.yyfBua979C0ZzSPnCxybIlhk.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.azloBsQlDmB56PqIarSd7g7V.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000003.2518467991.0000000006B38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2518348325.0000000006AC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2602141465.000000000671F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yyfBua979C0ZzSPnCxybIlhk.exe PID: 6776, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\24PnbHlLLJLpyXRdC6DO5Pg.zip, type: DROPPED
Yara detected SmokeLoader
Source: Yara match File source: 00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2710518558.0000000002DE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fedad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fedad0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2314453573.0000000000B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: M3c5GcarM7S9e4Fzg9fhkljA.exe PID: 1272, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe Code function: 7_2_6983A0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress, 7_2_6983A0C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428462 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 139 Found malware configuration 2->139 141 Malicious sample detected (through community Yara rule) 2->141 143 Antivirus detection for dropped file 2->143 145 21 other signatures 2->145 8 SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe 11 56 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 123 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->123 125 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->125 127 19 other IPs or domains 8->127 105 C:\Users\...\yyfBua979C0ZzSPnCxybIlhk.exe, PE32 8->105 dropped 107 C:\Users\...\xNcVS_VvZEHfTUaNtkua55mf.exe, PE32 8->107 dropped 109 C:\Users\...\wjwNFr_3XWBVO8HOPBPzLGWO.exe, PE32 8->109 dropped 111 29 other malicious files 8->111 dropped 199 Query firmware table information (likely to detect VMs) 8->199 201 Drops PE files to the document folder of the user 8->201 203 Creates HTML files with .exe extension (expired dropper behavior) 8->203 205 11 other signatures 8->205 19 Honz_MBQI6vCkcbyCN3yB4rh.exe 8->19         started        23 M3c5GcarM7S9e4Fzg9fhkljA.exe 8->23         started        25 azloBsQlDmB56PqIarSd7g7V.exe 8->25         started        30 15 other processes 8->30 28 Install.exe 13->28         started        file5 signatures6 process7 dnsIp8 67 C:\Users\...\backend_c.cp38-win_amd64.pyd, PE32+ 19->67 dropped 69 C:\Users\user\...\_cffi.cp38-win_amd64.pyd, PE32+ 19->69 dropped 79 75 other files (35 malicious) 19->79 dropped 147 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->147 149 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 19->149 151 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->151 165 9 other signatures 19->165 32 conhost.exe 19->32         started        34 Honz_MBQI6vCkcbyCN3yB4rh.exe 19->34         started        167 4 other signatures 23->167 36 RegAsm.exe 23->36         started        41 conhost.exe 23->41         started        129 193.233.132.253 FREE-NET-ASFREEnetEU Russian Federation 25->129 131 104.26.4.15 CLOUDFLARENETUS United States 25->131 71 C:\Users\user\...\p508E0L2OxcFz21C_cBt.exe, PE32 25->71 dropped 81 4 other malicious files 25->81 dropped 153 Query firmware table information (likely to detect VMs) 25->153 155 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->155 157 Tries to steal Mail credentials (via file / registry access) 25->157 169 6 other signatures 25->169 43 Conhost.exe 25->43         started        73 C:\Users\user\AppData\Local\...\tQYsPom.exe, PE32 28->73 dropped 159 Multi AV Scanner detection for dropped file 28->159 133 185.172.128.23 NADYMSS-ASRU Russian Federation 30->133 135 147.45.47.93 FREE-NET-ASFREEnetEU Russian Federation 30->135 137 193.233.132.226 FREE-NET-ASFREEnetEU Russian Federation 30->137 75 C:\Users\user\AppData\Local\...\is-RKCCV.tmp, PE32 30->75 dropped 77 C:\Users\user\...\bynA5XZaUopLU9g6Euj0.exe, PE32 30->77 dropped 83 31 other files (27 malicious) 30->83 dropped 161 Detected unpacking (changes PE section rights) 30->161 163 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->163 171 19 other signatures 30->171 45 is-RKCCV.tmp 30->45         started        47 explorer.exe 30->47 injected 49 RegAsm.exe 30->49         started        51 9 other processes 30->51 file9 signatures10 process11 dnsIp12 113 37.27.87.155 UNINETAZ Iran (ISLAMIC Republic Of) 36->113 115 23.76.43.59 AMXArgentinaSAAR United States 36->115 85 C:\Users\user\AppData\...\softokn3[1].dll, PE32 36->85 dropped 87 C:\Users\user\AppData\Local\...\sqln[1].dll, PE32 36->87 dropped 99 5 other files (3 malicious) 36->99 dropped 173 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->173 175 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->175 177 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->177 191 2 other signatures 36->191 53 conhost.exe 41->53         started        89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 45->89 dropped 91 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 45->91 dropped 93 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 45->93 dropped 101 10 other files (9 malicious) 45->101 dropped 55 cddvdrunner2333.exe 45->55         started        117 186.10.34.51 ENTELCHILESACL Chile 47->117 119 172.67.196.94 CLOUDFLARENETUS United States 47->119 95 C:\Users\user\AppData\Roaming\fcegbwt, PE32 47->95 dropped 97 C:\Users\user\AppData\Local\Temp\DEC.exe, PE32 47->97 dropped 179 System process connects to network (likely due to code injection or exploit) 47->179 181 Benign windows process drops PE files 47->181 183 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->183 121 5.42.65.50 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 49->121 185 Installs new ROOT certificates 49->185 187 Tries to harvest and steal browser information (history, passwords, etc) 49->187 189 Tries to steal Crypto Currency Wallets 49->189 59 conhost.exe 51->59         started        61 conhost.exe 51->61         started        63 conhost.exe 51->63         started        65 2 other processes 51->65 file13 signatures14 process15 file16 103 C:\ProgramData\...\ImageGuide 3.1.33.66.exe, PE32 55->103 dropped 193 Multi AV Scanner detection for dropped file 55->193 195 Detected unpacking (changes PE section rights) 55->195 197 Detected unpacking (overwrites its own PE header) 55->197 signatures17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.233.132.139
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
34.117.186.192
 unknown United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.26.9.59
 unknown United States
13335 CLOUDFLARENETUS false
172.67.196.94
 unknown United States
13335 CLOUDFLARENETUS true
52.216.50.177
 unknown United States
16509 AMAZON-02US false
37.221.125.202
 unknown Lithuania
62416 PTSERVIDORPT false
172.67.216.172
 unknown United States
13335 CLOUDFLARENETUS false
18.205.93.1
 unknown United States
14618 AMAZON-AESUS false
193.233.132.253
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
87.240.137.164
 unknown Russian Federation
47541 VKONTAKTE-SPB-AShttpvkcomRU false
23.76.43.59
 unknown United States
19037 AMXArgentinaSAAR false
172.67.161.113
 unknown United States
13335 CLOUDFLARENETUS false
172.67.132.113
 unknown United States
13335 CLOUDFLARENETUS false
172.67.169.146
 unknown United States
13335 CLOUDFLARENETUS false
95.142.206.0
 unknown Russian Federation
47541 VKONTAKTE-SPB-AShttpvkcomRU false
5.42.65.50
 unknown Russian Federation
39493 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU true
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
95.142.206.1
 unknown Russian Federation
47541 VKONTAKTE-SPB-AShttpvkcomRU false
104.21.63.150
 unknown United States
13335 CLOUDFLARENETUS false
172.67.207.236
 unknown United States
13335 CLOUDFLARENETUS false
37.27.87.155
 unknown Iran (ISLAMIC Republic Of)
39232 UNINETAZ false
185.172.128.203
 unknown Russian Federation
50916 NADYMSS-ASRU false
193.233.132.226
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
109.175.29.39
 unknown Bosnia and Herzegowina
9146 BIHNETBIHNETAutonomusSystemBA false
186.10.34.51
 unknown Chile
6471 ENTELCHILESACL true
185.172.128.23
 unknown Russian Federation
50916 NADYMSS-ASRU true
104.26.4.15
 unknown United States
13335 CLOUDFLARENETUS false
104.21.5.28
 unknown United States
13335 CLOUDFLARENETUS false
5.42.66.10
 unknown Russian Federation
39493 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU false
104.21.91.214
 unknown United States
13335 CLOUDFLARENETUS false
45.130.41.108
 unknown Russian Federation
198610 BEGET-ASRU false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://sodez.ru/tmp/index.php true
    economicscreateojsu.shop true
      entitlementappwo.shop true
        http://uama.com.ua/tmp/index.php true
          bordersoarmanusjuw.shop true
            http://talesofpirates.net/tmp/index.php true