Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe
Analysis ID:	1428462
MD5:	193692e1cf957eef7e6cf2f6bc74be86
SHA1:	9d1f849b57c96ca71f0f90c73de97fa912b691d7
SHA256:	fcc22a367ed0a8d8de94f5159ab12c32606f97326b832eb47327b7707ba457a6
Tags:	exe
Infos:

Detection

LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Disable power options

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected Glupteba

Yara detected LummaC Stealer

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected RisePro Stealer

Yara detected SmokeLoader

Yara detected Stealc

Yara detected Vidar stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds extensions / path to Windows Defender exclusion list (Registry)

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates HTML files with .exe extension (expired dropper behavior)

Creates a thread in another existing process (thread injection)

Creates multiple autostart registry keys

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Drops PE files to the document folder of the user

Exclude list of file types from scheduled, custom, and real-time scanning

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found pyInstaller with non standard icon

Found stalling execution ending in API Sleep call

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

LummaC encrypted strings found

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies Group Policy settings

Modifies power options to not sleep / hibernate

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queries temperature or sensor information (via WMI often done to detect virtual machines)

Queries voltage information (via WMI often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses powercfg.exe to modify the power settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes many files with high entropy

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a Chrome extension

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Windows Defender Exclusions Added - Registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

query blbeacon for getting browser version

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe (PID: 432 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe" MD5: 193692E1CF957EEF7E6CF2F6BC74BE86)

yyfBua979C0ZzSPnCxybIlhk.exe (PID: 6776 cmdline: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe MD5: 12D7B7B63D8EA8B173B69246184905D6)

Fb9COhEBuDNRhtMnCgGo2QiL.exe (PID: 4068 cmdline: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe MD5: 15A5A210A88D15A932171A9FA25A1356)

MSBuild.exe (PID: 4128 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

xNcVS_VvZEHfTUaNtkua55mf.exe (PID: 2140 cmdline: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe MD5: A37AAFD52FA58B0518A5ABFC1126A3BD)

DLdiRYbSxUKrp0thTehxs0R7.exe (PID: 368 cmdline: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe MD5: D15459E9B9D12244A57809BC383B2757)

OPHZ4RYtForDNHqUKDzFdbyl.exe (PID: 2748 cmdline: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe MD5: 442D026B2FA7E3CEB35BB40D28065A7D)

8q5xyu0coQILTrboZdACo84I.exe (PID: 6768 cmdline: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe MD5: 5E2A97C7C4BDD77D61B82E3C8454C0F1)

f5PK0Fmcntr6Bz8d571_sPMM.exe (PID: 2360 cmdline: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe MD5: 8B65C04554FDC08623E5A74F8F9B9FD2)

jToGBYVMqv5v7FLLCc3PnzZj.exe (PID: 6540 cmdline: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe MD5: 03DA9FDAF31B27C888D1331D69DC9EF8)

is-RKCCV.tmp (PID: 1252 cmdline: "C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp" /SL4 $B0024 "C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe" 3625196 52224 MD5: 823E80C325207F495A59B69AAE8AEFAD)

cddvdrunner2333.exe (PID: 3436 cmdline: "C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -i MD5: 00B640E64C35C1E3F7AD1CB9A979BF2E)

rvzZmTKhzLAk54H0OO5fg4xv.exe (PID: 6204 cmdline: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe MD5: 65BE3195B801D271E01D41F7BF576BD8)

schtasks.exe (PID: 6548 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Hrpxb3VVNyjyS2Of2WrcJREY.exe (PID: 5560 cmdline: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe MD5: 399332B0CAB6E3C41A0AA0ED563BED9B)

B0SLNTT0ZbIxZcHr0SHBJGEz.exe (PID: 1976 cmdline: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe MD5: 68B27A8882FFD2A01203CC218BD80849)

regsvr32.exe (PID: 5000 cmdline: "C:\Windows\System32\regsvr32.exe" /S .\TaFD.XRA MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

tNKXm3LImvO5in9OelWM8_lp.exe (PID: 1628 cmdline: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe MD5: B6D1F343014DC55EF2588CA861DB518B)

conhost.exe (PID: 3424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5808 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

wjwNFr_3XWBVO8HOPBPzLGWO.exe (PID: 7060 cmdline: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe MD5: 9C100E7F219C7E05CCEA1899C511F4B9)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

GDL7jRat1qTWaJDTi_iESGFr.exe (PID: 1576 cmdline: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe MD5: B091C4848287BE6601D720997394D453)

powercfg.exe (PID: 5148 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 1896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 5600 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 5528 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 3524 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2296 cmdline: C:\Windows\system32\sc.exe delete "OBGPQMHF" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

QnkREgWvOVM7UiM40Bqj5sWB.exe (PID: 3292 cmdline: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe MD5: 817C11005CA185252E666C25769A2591)

M3c5GcarM7S9e4Fzg9fhkljA.exe (PID: 1272 cmdline: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe MD5: 0BB19EEF181634DC1AEA014783928EFB)

conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 4760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5080 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

azloBsQlDmB56PqIarSd7g7V.exe (PID: 1196 cmdline: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe MD5: 3F9AE180E3D7B62BC7C5DD2CEEC62A56)

Conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Honz_MBQI6vCkcbyCN3yB4rh.exe (PID: 5664 cmdline: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe MD5: 5917C8E5A003B2C211150D1F92440F79)

conhost.exe (PID: 3924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Honz_MBQI6vCkcbyCN3yB4rh.exe (PID: 2124 cmdline: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe MD5: 5917C8E5A003B2C211150D1F92440F79)

svchost.exe (PID: 2352 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2748 cmdline: C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Install.exe (PID: 1772 cmdline: .\Install.exe /dlhwdidkpGO "525403" /S MD5: F8EFB05B940B05FC74801B61B3C0F500)

svchost.exe (PID: 2020 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6464 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Glupteba	Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.	No Attribution	http://resources.infosecinstitute.com/tdss4-part-1/ https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/ https://blog.google/technology/safety-security/new-action-combat-cyber-crime/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: LummaC

{"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop"], "Build id": "DIJQ6z--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nidoe.org/tmp/index.php", "http://sodez.ru/tmp/index.php", "http://uama.com.ua/tmp/index.php", "http://talesofpirates.net/tmp/index.php"]}

Threatname: RedLine

{"C2 url": ["5.42.65.50:33080"], "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\24PnbHlLLJLpyXRdC6DO5Pg.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcb387:$s1: file:/// 0xcb297:$s2: {11111-22222-10009-11112} 0xcb317:$s3: {11111-22222-50001-00000} 0xc9fdb:$s4: get_Module 0x41c0ea:$s4: get_Module 0xc2f8e:$s5: Reverse 0x41abeb:$s5: Reverse 0x41ad57:$s6: BlockCopy 0xc0864:$s7: ReadByte 0x40f9a2:$s7: ReadByte 0xcb399:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000016.00000003.2518467991.0000000006B38000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000016.00000003.2518348325.0000000006AC1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000012.00000002.2709843696.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000B.00000003.2314453573.0000000000B20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000B.00000003.2314453573.0000000000B20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000007.00000002.2634159423.000000000452B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2634159423.000000000452B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000012.00000002.2710983086.0000000002EA2000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3b12:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000011.00000002.2302959218.000000000082D000.00000004.00000001.01000000.00000010.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000012.00000002.2710518558.0000000002DE1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000012.00000002.2710518558.0000000002DE1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000016.00000002.2602141465.000000000671F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: yyfBua979C0ZzSPnCxybIlhk.exe PID: 6776	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: Fb9COhEBuDNRhtMnCgGo2QiL.exe PID: 4068	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: xNcVS_VvZEHfTUaNtkua55mf.exe PID: 2140	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Process Memory Space: tNKXm3LImvO5in9OelWM8_lp.exe PID: 1628	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: M3c5GcarM7S9e4Fzg9fhkljA.exe PID: 1272	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
17.2.tNKXm3LImvO5in9OelWM8_lp.exe.82dad0.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x503c3:$s1: file:/// 0x502fb:$s2: {11111-22222-10009-11112} 0x50353:$s3: {11111-22222-50001-00000} 0x4cd4c:$s4: get_Module 0x47f68:$s5: Reverse 0x487f0:$s6: BlockCopy 0x47f50:$s7: ReadByte 0x503d5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fedad0.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fedad0.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x521c3:$s1: file:/// 0x520fb:$s2: {11111-22222-10009-11112} 0x52153:$s3: {11111-22222-50001-00000} 0x4eb4c:$s4: get_Module 0x49d68:$s5: Reverse 0x4a5f0:$s6: BlockCopy 0x49d50:$s7: ReadByte 0x521d5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fc0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
17.2.tNKXm3LImvO5in9OelWM8_lp.exe.800000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcb387:$s1: file:/// 0xcb297:$s2: {11111-22222-10009-11112} 0xcb317:$s3: {11111-22222-50001-00000} 0xc9fdb:$s4: get_Module 0x41c0ea:$s4: get_Module 0xc2f8e:$s5: Reverse 0x41abeb:$s5: Reverse 0x41ad57:$s6: BlockCopy 0xc0864:$s7: ReadByte 0x40f9a2:$s7: ReadByte 0xcb399:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
6.2.yyfBua979C0ZzSPnCxybIlhk.exe.920000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
17.2.tNKXm3LImvO5in9OelWM8_lp.exe.82dad0.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
22.2.azloBsQlDmB56PqIarSd7g7V.exe.c80000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 18 entries

Sigma Signatures

Change of critical system settings

Sigma detected: Disable power options

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe, ParentImage: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe, ParentProcessId: 1576, ParentProcessName: GDL7jRat1qTWaJDTi_iESGFr.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 5148, ProcessName: powercfg.exe

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe, ProcessId: 6204, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Sigma detected: Windows Defender Exclusions Added - Registry

Source: Registry Key set

Author: Christian Burkard (Nextron Systems): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, ProcessId: 432, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc, CommandLine: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc, ProcessId: 2352, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	Avira: detection malicious, Label: TR/AD.Nekark.sbdpe
Source: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe	Avira: detection malicious, Label: TR/AD.Nekark.sbdpe

Found malware configuration

Source: 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}
Source: 00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nidoe.org/tmp/index.php", "http://sodez.ru/tmp/index.php", "http://uama.com.ua/tmp/index.php", "http://talesofpirates.net/tmp/index.php"]}
Source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.82dad0.1.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["5.42.65.50:33080"], "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe.3292.20.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "entitlementappwo.shop", "stripmarrystresew.shop"], "Build id": "DIJQ6z--"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\ImageGuide 3.1.33.66\ImageGuide 3.1.33.66.exe	ReversingLabs: Detection: 48%
Source: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe	ReversingLabs: Detection: 33%
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\AdobeUpdaterV1.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\AdobeUpdaterV1.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\grabber[1].exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\lumma1504[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\123p[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Space1.9_team[1].exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\lumma1504[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\060[1].exe	ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Default12_team[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[1].exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[2].exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\timeSync[1].exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\tQYsPom.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\DEC.exe	ReversingLabs: Detection: 95%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

ReversingLabs: Detection: 21%

Yara detected Glupteba

Source: Yara match	File source: 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xNcVS_VvZEHfTUaNtkua55mf.exe PID: 2140, type: MEMORYSTR

Machine Learning detection for dropped file

Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\ImageGuide 3.1.33.66\ImageGuide 3.1.33.66.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wifeplasterbakewis.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mealplayerpreceodsju.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bordersoarmanusjuw.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: suitcaseacanehalk.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: absentconvicsjawun.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pushjellysingeywus.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: economicscreateojsu.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: entitlementappwo.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: stripmarrystresew.shop
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DIJQ6z--
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetProcAddress
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: LoadLibraryA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: lstrcatA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: OpenEventA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CreateEventA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CloseHandle
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Sleep
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: VirtualFree
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetSystemInfo
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: VirtualAlloc
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: HeapAlloc
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetComputerNameA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: lstrcpyA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetProcessHeap
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetCurrentProcess
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: lstrlenA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: ExitProcess
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetSystemTime
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: advapi32.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: gdi32.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: user32.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: crypt32.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: ntdll.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetUserNameA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CreateDCA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetDeviceCaps
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: ReleaseDC
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: sscanf
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: VMwareVMware
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: HAL9TH
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: JohnDoe
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: DISPLAY
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: http://185.172.128.23
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: /f993692117a3fda2.php
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: /8e6d9db21fb63946/
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: default9
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetFileAttributesA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GlobalLock
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: HeapFree
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetFileSize
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GlobalSize
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: IsWow64Process
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Process32Next
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetLocalTime
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: FreeLibrary
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetVolumeInformationA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Process32First
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetModuleFileNameA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: DeleteFileA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: FindNextFileA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: LocalFree
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: FindClose
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: LocalAlloc
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetFileSizeEx
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: ReadFile
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SetFilePointer
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: WriteFile
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CreateFileA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: FindFirstFileA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CopyFileA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: VirtualProtect
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetLastError
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: lstrcpynA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: MultiByteToWideChar
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GlobalFree
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: WideCharToMultiByte
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GlobalAlloc
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: OpenProcess
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: TerminateProcess
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetCurrentProcessId
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: gdiplus.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: ole32.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: bcrypt.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: wininet.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: shell32.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: psapi.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: rstrtmgr.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SelectObject
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: BitBlt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: DeleteObject
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CreateCompatibleDC
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GdiplusStartup
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GdiplusShutdown
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GdipDisposeImage
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GdipFree
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CoUninitialize
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CoInitialize
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CoCreateInstance
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: BCryptDecrypt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: BCryptSetProperty
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: BCryptDestroyKey
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetWindowRect
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetDesktopWindow
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetDC
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CloseWindow
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: wsprintfA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CharToOemW
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: wsprintfW
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: RegQueryValueExA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: RegEnumKeyExA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: RegOpenKeyExA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: RegCloseKey
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: RegEnumValueA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CryptUnprotectData
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SHGetFolderPathA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: ShellExecuteExA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: InternetOpenUrlA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: InternetConnectA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: InternetCloseHandle
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: InternetOpenA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: HttpSendRequestA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: HttpOpenRequestA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: InternetReadFile
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: InternetCrackUrlA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: StrCmpCA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: StrStrA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: StrCmpCW
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: PathMatchSpecA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: RmStartSession
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: RmRegisterResources
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: RmGetList
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: RmEndSession
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: sqlite3_open
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: sqlite3_step
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: sqlite3_column_text
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: sqlite3_finalize
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: sqlite3_close
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: sqlite3_column_blob
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: encrypted_key
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: PATH
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: NSS_Init
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: NSS_Shutdown
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: PK11_FreeSlot
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: PK11_Authenticate
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: C:\ProgramData\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: browser:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: profile:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: url:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: login:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: password:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Opera
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: OperaGX
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Network
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: cookies
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: .txt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: TRUE
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: FALSE
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: autofill
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: history
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: name:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: month:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: year:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: card:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Cookies
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Login Data
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Web Data
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: History
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: logins.json
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: formSubmitURL
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: usernameField
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: encryptedUsername
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: encryptedPassword
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: guid
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: cookies.sqlite
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: formhistory.sqlite
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: places.sqlite
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: plugins
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Local Extension Settings
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Sync Extension Settings
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: IndexedDB
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Opera Stable
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Opera GX Stable
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: CURRENT
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: chrome-extension_
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Local State
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: profiles.ini
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: chrome
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: opera
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: firefox
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: wallets
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: ProductName
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: ProcessorNameString
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: DisplayName
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: DisplayVersion
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Network Info:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - IP: IP?
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - Country: ISO?
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: System Summary:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - HWID:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - OS:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - Architecture:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - UserName:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - Computer Name:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - Local Time:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - UTC:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - Language:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - Keyboards:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - Laptop:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - Running Path:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - CPU:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - Threads:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - Cores:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - RAM:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - Display Resolution:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: - GPU:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: User Agents:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Installed Apps:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: All Users:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Current User:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Process List:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: system_info.txt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: freebl3.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: mozglue.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: msvcp140.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: nss3.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: softokn3.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: vcruntime140.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: \Temp\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: .exe
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: runas
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: open
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: /c start
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: %DESKTOP%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: %APPDATA%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: %USERPROFILE%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: %DOCUMENTS%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: %RECENT%
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: *.lnk
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: files
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: \discord\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: \Telegram Desktop\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: key_datas
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: map*
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Telegram
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: *.tox
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: *.ini
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Password
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: 00000001
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: 00000002
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: 00000003
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: 00000004
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Pidgin
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: \.purple\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: accounts.xml
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: token:
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Software\Valve\Steam
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: SteamPath
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: \config\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: ssfn*
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: config.vdf
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: DialogConfig.vdf
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: libraryfolders.vdf
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: loginusers.vdf
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: \Steam\
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: sqlite3.dll
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: browsers
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: done
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: soft
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: https
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: POST
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: HTTP/1.1
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: hwid
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: build
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: token
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: file_name
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: file
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: message
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6987D9D0 CryptAcquireContextA,GetLastError,	7_2_6987D9D0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6987DBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,	7_2_6987DBB0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6987DD20 CryptReleaseContext,	7_2_6987DD20
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6987DEE0 CryptReleaseContext,	7_2_6987DEE0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6987DE00 CryptGenRandom,__CxxThrowException@8,	7_2_6987DE00
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_698A35E0 CryptReleaseContext,	7_2_698A35E0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6987D7D4 CryptReleaseContext,	7_2_6987D7D4
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6987D7F0 CryptReleaseContext,	7_2_6987D7F0

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xNcVS_VvZEHfTUaNtkua55mf.exe PID: 2140, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe

Unpacked PE file: 44.2.cddvdrunner2333.exe.400000.0.unpack

Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbu source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2671952511.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.0000000004B48000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2684621508.00000000698A4000.00000002.00000001.01000000.00000028.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: BdeHdCfg.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: symsrv.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000C7A000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb;Cn source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.0000000001680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: r\x86\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2681483906.0000000006373000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Moq.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.PDB source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2586786006.0000000001338000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.0000000001680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: uic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2586786006.0000000001338000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: BdeHdCfg.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: symsrv.pdbGCTL source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000C7A000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.PDB source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2681483906.0000000006373000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdbSHA256 source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: dbghelp.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: Loader.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2495725172.000002D546A80000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000266000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2485404914.000002D546AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2102749607.000002262FB02000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104110962.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104275365.000002262FAAD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104927446.000002262FFEF000.00000004.00000020.00020000.00000000.sdmp, B0SLNTT0ZbIxZcHr0SHBJGEz.exe, 00000010.00000000.2244173110.0000000000312000.00000002.00000001.01000000.0000000E.sdmp, B0SLNTT0ZbIxZcHr0SHBJGEz.exe, 00000010.00000002.2431895922.0000000000312000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: yyfBua979C0ZzSPnCxybIlhk.exe, yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654915199.0000000000ABB000.00000040.00000001.01000000.00000006.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000000.2240349104.00000000003F6000.00000080.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589762241.00000000003F6000.00000080.00000001.01000000.0000000A.sdmp
Source:	Binary string: Moq.pdbSHA256@ source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbJn source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: changepk.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002247000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: CameraSettingsUIHost.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2495725172.000002D546A80000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000266000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2485404914.000002D546AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\polly\src\Polly.Net45\obj\Release\net45\Polly.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbB# source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\projects\polly\src\Polly.Net45\obj\Release\net45\Polly.pdbjz source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: mscorlib.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: .pdb.dbg source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: AppInstallerBackgroundUpdate.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002143000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: change.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: AppInstallerBackgroundUpdate.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002143000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\constructicon\builds\gfx\three\20.10\drivers\2d\dal\eeu\build\client\wNow64a\B_rel\atieclxx.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: changepk.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002247000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CameraSettingsUIHost.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.0000000004A79000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.0000000004C04000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2671952511.0000000005D8A000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: y\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb~~ source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: change.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe	Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File opened: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File opened: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	7_2_05AB6940
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_05ABD588
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	7_2_05AB6939
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	7_2_05AB5565
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_05ABD480
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	7_2_05AB6C69
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_05ABD478
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	7_2_05AB6C70
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then jmp 05ABD06Ah	7_2_05ABCFB8
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then jmp 05ABD06Ah	7_2_05ABCFB0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	7_2_05AB6B60
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	7_2_05AB6B58
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	7_2_05AB36DC
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_05ABCED7
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	7_2_05AB6A48
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	7_2_05AB6A50

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 172.67.196.94 443
Source: C:\Windows\explorer.exe	Network Connect: 186.10.34.51 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: stripmarrystresew.shop
Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: stripmarrystresew.shop
Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: stripmarrystresew.shop
Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: stripmarrystresew.shop
Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: stripmarrystresew.shop
Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: stripmarrystresew.shop
Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: stripmarrystresew.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199673019888
Source: Malware configuration extractor	URLs: http://nidoe.org/tmp/index.php
Source: Malware configuration extractor	URLs: http://sodez.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://uama.com.ua/tmp/index.php
Source: Malware configuration extractor	URLs: http://talesofpirates.net/tmp/index.php
Source: Malware configuration extractor	URLs: 5.42.65.50:33080

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: f4Y7IGUXRMqOH79zw7TPvsbX.exe.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: Gon5N1KYkyaNFzeeJDoj76Fi.exe.0.dr

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

Code function: 6_2_0093E220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,

6_2_0093E220

Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com https://google.com https://.vkpartner.ru https://.moatads.com https://.adlooxtracking.ru https://.serving-sys.ru https://.weborama-tech.ru https://.gstatic.com https://.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://.vk-cdn.net https://.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com https://google.com https://.vkpartner.ru https://.moatads.com https://.adlooxtracking.ru https://.serving-sys.ru https://.weborama-tech.ru https://.gstatic.com https://.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://.vk-cdn.net https://.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp equals www.twitter.com (Twitter)
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com https://google.com https://.vkpartner.ru https://.moatads.com https://.adlooxtracking.ru https://.serving-sys.ru https://.weborama-tech.ru https://.gstatic.com https://.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://.vk-cdn.net https://.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp equals www.youtube.com (Youtube)

Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://127.0.0.1:
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/dl.php
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/dl.php(
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/dl.php.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/dacha/rules.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/dacha/rules.exeL
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/dacha/rules.exem
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma1504.exe
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma1504.exen%$
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/api/flash.php
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/api/flash.php:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/api/flash.phpH
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/api/flash.phpV
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/api/flash.phpr
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exeP
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exeV
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exef
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/page_error.jpeg
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/page_error.jpegF3
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/page_error.jpegb3
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/page_error.jpeghttp://5.42.66.10/download/page_error.pngC:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/page_error.png
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/page_error.png.
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage12.php
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage12.phpgs
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2169039039.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.php
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.php$
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.php12.php
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpings
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpings&
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpingsB
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpom/0/6
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpphp.php
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpv
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.php
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/r
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/rIMa
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10:80/api/flash.php
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10:80/api/flash.php3
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10:80/api/flash.php51
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10:80/download/page_error.pngZZ
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/IsAliveResponse
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/IsAliveT
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StartResponse
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StartT
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopResponseR
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopT
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ACVC.WPF.Service.WcfT
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp, OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp, OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2256931870.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2263550394.0000000002194000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vovsoft.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139755953.000002262FA19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA00000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA0E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA1D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.php
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.phpF
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.phpa
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108082037.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108180577.000002262FA3C000.00000004.00000020.00020000.00000000.sdmp, jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000000.2240084953.0000000000410000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.innosetup.com
Source: jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2256931870.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2263550394.0000000002194000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org).
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654714802.0000000000A35000.00000002.00000001.01000000.00000006.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589232742.00000000002FF000.00000002.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2411267986.0000000000E60000.00000004.00001000.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2596553439.0000000000D96000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654714802.0000000000A35000.00000002.00000001.01000000.00000006.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2596553439.0000000000D96000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDp
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.tiktok.com
Source: tNKXm3LImvO5in9OelWM8_lp.exe, 00000011.00000002.2302959218.000000000082D000.00000004.00000001.01000000.00000010.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/v
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com:443/ows
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262F9FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103595029.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108775259.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108362466.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2116491415.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2113083438.000002262FA0C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2113464336.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2111124592.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2121711417.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassia~(
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exexe;2
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe;2
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2112981350.000002262FA85000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA04000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108180577.000002262FA93000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168867567.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104775379.000002262FA8A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/8b0be658-c958-47a3-96e4-fc8e5fe7c5dc/downloads/dc50f97b-477f-
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exeT
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094479399.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org:80/superworkspacenb/gerge/downloads/grabber.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2121711417.000002262FA0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/525403/setup.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/6
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/ee45f9fcdced34e0430667992abd2d38/cad54ba5b0142
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103339004.000002262FA57000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103290439.000002262FA56000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7C6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103999098.000002262F9F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/ee45f9fcdced34e0430667992abd2d38/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ampproject.org
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262F9FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103595029.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.syndication.twimg.com
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.goo
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513717785.0000000003783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513717785.0000000003783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513459274.0000000003796000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx1:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513596742.0000000003788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx4
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxR4
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://connect.facebook.net
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52:~s
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52esI
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/l
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/t
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/~
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52z
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA00000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.vk.com
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513150367.00000000037A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/NavigationTiming/Overview.html#process
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513150367.00000000037A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/NavigationTiming/Overview.html#processing-model
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/ee45f9fcdced34e0430667992abd2d38/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://github.com/moq/moq4
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://googletagmanager.com
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E06000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654714802.0000000000A35000.00000002.00000001.01000000.00000006.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2596553439.0000000000D96000.00000040.00000001.01000000.00000016.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589232742.00000000002FF000.00000002.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2411267986.0000000000E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/namehttps://ipgeolocation.io/:
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.000000000068A000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52c
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52w
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52c
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru/1BV4j7.mp4
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru/1BV4j7.mp4s%
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru/1pRXr7.txt
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru/1pRXr7.txtjs_
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru/1tqHh7.mp3
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru/P
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru/R
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru/_F
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru/s
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru:443/1BV4j7.mp4O
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru:443/1pRXr7.txt
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru:443/1tqHh7.mp3u
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1nhuM4.js
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1nhuM4.jsX
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org:443/1nhuM4.js
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://login.microsoftonline.com/crypto/rc4:
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/?act=login
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/?act=logout&hash=df5be74fd1475c23cd&_origin=https%3A%2F%2Fvk.com&lrt=BDpxh3TFcr
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://management.azure.cominvalid
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://management.chinacloudapi.cnP224
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://management.core.chinacloudapi.cnchacha20poly1305:
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://management.core.usgovcloudapi.netGODEBUG
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://management.usgovcloudapi.nethttps://management.core.windows.net/edwards25519:
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://maps.googleapis.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/2
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exep/0/6
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exes.top/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top:80/style/060.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top:80/style/060.exe2$
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2113407483.000002262FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2110942258.000002262FA82000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2112684823.000002262FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108279479.000002262FA62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108740822.000002262FA82000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108180577.000002262FA61000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2115459164.000002262FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108397207.000002262FA80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exenet/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exen$
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513459274.0000000003796000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://page-error.com
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513150367.00000000037A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://page-error.com/performance/?license=$
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513679922.000000000379A000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513150367.00000000037A6000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513596742.0000000003788000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513642281.0000000003790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://page-error.com/thankyou/?uuid=$
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513255238.0000000003787000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000378A000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513385608.0000000003790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://page-error.comJ
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/lander/File_294/setup294.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/r
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153658618.000002262F7EB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://papi.vk.com/pushsse/ruim
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513717785.0000000003783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://platform.twitter.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://r.mradx.net
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262F9FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103595029.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262F9FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103595029.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513255238.0000000003787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securepubads.g.doubleclick.net
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/css/al/base.7c74f023.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/css/al/common.1545e5c6.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/css/al/fonts_cnt.c7a76efe.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/css/al/fonts_utf.7fa94ada.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/css/al/ui_common.eebaf9c8.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/css/al/uncommon.6d51982c.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/css/al/vk_sans_display.5625d45f.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/css/al/vk_sans_display_faux.7d208ecb.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/css/al/vkui.43318ab6.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/css/fonts/VKSansDisplayDemiBoldFaux.v100.woff2
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/audioplayer-lib.89b663a3.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/audioplayer-lib.93b52d88.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/common.a525896b.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/react.759f82b6.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/state-management.c22f9f68.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/vkcom-kit-icons.826b9222.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/vkcom-kit.07cf1bad.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/vkcom-kit.fef2a97a.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/chunks/vkui.bce4c996.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/common_web.6a09f0e1.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/common_web.9d09fc5d.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/css_types.1bff1a5b.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/docs.20074c02.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/docs.93c768ea.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/error_monitoring.isolated.3df2967b.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/grip.0b3b493f.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/jobs_devtools_notification.14f96f02.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/likes.20074c02.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/likes.de4f3981.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/page_layout.7b5800c2.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/performance_observers.4d12f60f.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/polyfills.isolated.edaffb7b.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/raven_logger.ea0a2239.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/site_layout.20074c02.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/site_layout.4881c427.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/ui_common.20074c02.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/ui_common.88618847.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/unauthorized.20074c02.css
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/unauthorized.bf4667d7.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-22.vk.com/dist/web/vk_sans_observer.fb28db65.js
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.vk.me
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stats.vk-portal.net
Source: M3c5GcarM7S9e4Fzg9fhkljA.exe, 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888
Source: M3c5GcarM7S9e4Fzg9fhkljA.exe, 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888ve74rMozilla/5.0
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA00000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-21.userapi.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-21.userapi.com/c236331/u5294803/docs/d24/3cad94b79c70/imgdrive_2_1.bmp?extra=KSt_51f-h8
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-21.userapi.com/c909328/u5294803/docs/d12/eb1afcc538fd/PL_Clients.bmp?extra=iwYpYeMLSGBx
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-21.userapi.com/p
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.000000000063E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.000000000063E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT%
Source: M3c5GcarM7S9e4Fzg9fhkljA.exe, 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://t.me/irfail
Source: M3c5GcarM7S9e4Fzg9fhkljA.exe, 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://t.me/irfailAt
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2514882020.0000000006797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tagmanager.google.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.org
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ton.twimg.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/&
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exebe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exes
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2628063256.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F7CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139755953.000002262FA19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/Security
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/browser_reports?dest=default_reports
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139755953.000002262FA19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurK
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTKnt3
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668512951?hash=uac9wbeb45bZZ2A4Vgx1xpUTavuZvoy56VWHrfJX9iH&dl=BnUuPvvpE2Gl
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139755953.000002262FA19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153300103.000002262FA1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668627934?hash=KOcSmbd2hjdTG4DLhdJgoCSrHOpCJeuTNRte86dnj0k&dl=iwW1iFTFzY3z
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139755953.000002262FA19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/r
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.ru
Source: jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2256931870.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2263550394.0000000002194000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://vovsoft.com/contact/
Source: jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2263550394.0000000002194000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://vovsoft.com/contact/.
Source: jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2256931870.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000003.2263550394.0000000002194000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://vovsoft.com/newsletter/
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262F9FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103368896.000002262FA12000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513717785.0000000003783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513717785.0000000003783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.c
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513255238.0000000003787000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000377C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.instagram.com
Source: yyfBua979C0ZzSPnCxybIlhk.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 8q5xyu0coQILTrboZdACo84I.exe, 0000000B.00000003.2643761852.000000002D1E0000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 8q5xyu0coQILTrboZdACo84I.exe, 0000000B.00000003.2643761852.000000002D1E0000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 8q5xyu0coQILTrboZdACo84I.exe, 0000000B.00000003.2643761852.000000002D1E0000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.security.us.panasonic.com
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yastatic.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2710518558.0000000002DE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RawInputListener: RegisterRawInputDevices() failed, quitting...

memstr_b18b3860-e

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xNcVS_VvZEHfTUaNtkua55mf.exe PID: 2140, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp2BCA.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp2BDA.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\060[1].exe entropy: 7.99834341189	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe entropy: 7.99834341189	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\setup[1].exe entropy: 7.99641413191	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe entropy: 7.99641413191	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\grabber[1].exe entropy: 7.99564568557	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe entropy: 7.99564568557	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\lumma1504[1].exe entropy: 7.99003010243	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\Users\user\AppData\Local\Temp\heidi4Oj_OpvPYvao\bynA5XZaUopLU9g6Euj0.exe entropy: 7.99003010243	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\AdobeUpdaterV1.exe entropy: 7.99003010243	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe entropy: 7.99003010243	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File created: C:\Users\user\AppData\Local\Temp\24PnbHlLLJLpyXRdC6DO5Pg.zip entropy: 7.99782759214	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\lumma1504[1].exe entropy: 7.99003010243	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe entropy: 7.99003010243	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File created: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe entropy: 7.99003010243	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\python38.dll entropy: 7.99191184235	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard\_cffi.cp38-win_amd64.pyd entropy: 7.99362866091	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000012.00000002.2709843696.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000012.00000002.2710983086.0000000002EA2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.2710518558.0000000002DE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, Strings.cs

Large array initialization: Strings: array initializer size 6160

PE file contains section with special chars

Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Static PE information: section name: .vmp(R
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Static PE information: section name: .vmp(R
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Static PE information: section name: .vmp(R
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr	Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr	Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr	Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr	Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr	Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr	Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr	Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr	Static PE information: section name: .vmp(R
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: section name:
Source: Space1.9_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Space1.9_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Space1.9_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Space1.9_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr	Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr	Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr	Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr	Static PE information: section name: .vmp(R

Uses powercfg.exe to modify the power settings

Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe

Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_05ABD590 NtUnmapViewOfSection,		7_2_05ABD590
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_05ABD58B NtUnmapViewOfSection,		7_2_05ABD58B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Windows\System32\GroupPolicy\gpt.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Windows\System32\GroupPolicy\Machine	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Windows\System32\GroupPolicy\User	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_0092C490	6_2_0092C490
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_0092BFC0	6_2_0092BFC0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_0095C800	6_2_0095C800
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00991830	6_2_00991830
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3186E	6_2_00C3186E
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C34077	6_2_00C34077
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00A1B84F	6_2_00A1B84F
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3A1DF	6_2_00C3A1DF
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00A1D9FE	6_2_00A1D9FE
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_0096C160	6_2_0096C160
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C322E8	6_2_00C322E8
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3328E	6_2_00C3328E
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C34A5A	6_2_00C34A5A
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_009A1A30	6_2_009A1A30
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_009A7270	6_2_009A7270
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_0096EB90	6_2_0096EB90
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00A05B90	6_2_00A05B90
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C32B8B	6_2_00C32B8B
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00A003D0	6_2_00A003D0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C32360	6_2_00C32360
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_0095FB60	6_2_0095FB60
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00A03B58	6_2_00A03B58
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_0099F360	6_2_0099F360
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00936490	6_2_00936490
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3B49D	6_2_00C3B49D
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00A16CC5	6_2_00A16CC5
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00922400	6_2_00922400
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3242B	6_2_00C3242B
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_009A3470	6_2_009A3470
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00A0959F	6_2_00A0959F
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C39D89	6_2_00C39D89
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C39555	6_2_00C39555
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3350A	6_2_00C3350A
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_009906C0	6_2_009906C0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_009A3EF0	6_2_009A3EF0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00938EE0	6_2_00938EE0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00922600	6_2_00922600
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00992630	6_2_00992630
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C35FB7	6_2_00C35FB7
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_009A2FE0	6_2_009A2FE0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C39751	6_2_00C39751
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6984B6B0	7_2_6984B6B0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69864970	7_2_69864970
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69890B89	7_2_69890B89
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69828B30	7_2_69828B30
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69864AC0	7_2_69864AC0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69842D70	7_2_69842D70
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6989AC29	7_2_6989AC29
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69874EE0	7_2_69874EE0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6983A0C0	7_2_6983A0C0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_698763B0	7_2_698763B0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69882310	7_2_69882310
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6989A54D	7_2_6989A54D
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69864550	7_2_69864550
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6982C7B0	7_2_6982C7B0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6982A7E0	7_2_6982A7E0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69826650	7_2_69826650
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6989B964	7_2_6989B964
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_698758D7	7_2_698758D7
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_698758D5	7_2_698758D5
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69875830	7_2_69875830
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69899AAB	7_2_69899AAB
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69875DD0	7_2_69875DD0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69895DD2	7_2_69895DD2
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69863C90	7_2_69863C90
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69881CA0	7_2_69881CA0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69899FFC	7_2_69899FFC
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6989BFF1	7_2_6989BFF1
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69875EB9	7_2_69875EB9
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69863E50	7_2_69863E50
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69875050	7_2_69875050
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69863260	7_2_69863260
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69875274	7_2_69875274
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_69863460	7_2_69863460
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_01A6A9B8	7_2_01A6A9B8
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_01A69890	7_2_01A69890
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_01A6CA28	7_2_01A6CA28
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_01A61120	7_2_01A61120
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_01A61110	7_2_01A61110
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_01A68368	7_2_01A68368
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_01A60D60	7_2_01A60D60
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_01A60D70	7_2_01A60D70
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_01A66F59	7_2_01A66F59
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_05AB0040	7_2_05AB0040
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_05AB31B0	7_2_05AB31B0
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_05AB2E58	7_2_05AB2E58
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_05B90EB3	7_2_05B90EB3
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_05B926F8	7_2_05B926F8
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_05B90930	7_2_05B90930
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_05B926DC	7_2_05B926DC

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: String function: 69889B35 appears 141 times
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: String function: 6988D520 appears 31 times
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: String function: 698890D8 appears 51 times

Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Static PE information: invalid certificate

Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr

Static PE information: Resource name: AUUPG type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr	Static PE information: Number of sections : 14 > 10
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr	Static PE information: Number of sections : 14 > 10
Source: Space1.9_team[1].exe.0.dr	Static PE information: Number of sections : 14 > 10
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr	Static PE information: Number of sections : 14 > 10
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe.0.dr	Static PE information: Number of sections : 12 > 10
Source: Default12_team[1].exe.0.dr	Static PE information: Number of sections : 14 > 10
Source: Retailer_prog[1].exe.0.dr	Static PE information: Number of sections : 14 > 10
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Static PE information: Number of sections : 15 > 10

Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139567155.000002262FC00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zS.sfx.exe, vs SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000000.2030166989.00007FF77F8DE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCookComputing.XmlRpcV2.dll8 vs SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2139278820.000002262FE9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zS.sfx.exe, vs SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCookComputing.XmlRpcV2.dll8 vs SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000012.00000002.2709843696.0000000002DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000012.00000002.2710983086.0000000002EA2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.2710518558.0000000002DE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon version	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon version	Jump to behavior

Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997554064239332
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: Section: ZLIB complexity 1.000469355620155
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9892578125
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9994283536585366
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, e7EuwtGMnIvwifDxGE0.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@214/396@0/31

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

File created: C:\Users\user\Documents\SimpleAdobe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_12
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2412:120:WilError_03
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1288:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

File created: C:\Users\user\AppData\Local\Temp\adobequx8jdqZzTMI

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe

File opened: C:\Windows\system32\3743bfe92965e651c86de88a577beac623f12834a30d8c2ced3f982234136822AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

File read: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589232742.00000000002FF000.00000002.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2411267986.0000000000E60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654714802.0000000000A35000.00000002.00000001.01000000.00000006.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589232742.00000000002FF000.00000002.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2411267986.0000000000E60000.00000004.00001000.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2596553439.0000000000D96000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654714802.0000000000A35000.00000002.00000001.01000000.00000006.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2596553439.0000000000D96000.00000040.00000001.01000000.00000016.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2072366841.000002262F735000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2072325699.000002262DA29000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2471077165.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2471737073.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2472044878.0000000000F85000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2469332249.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2470572740.0000000000F85000.00000004.00000020.00020000.00000000.sdmp, 8q5xyu0coQILTrboZdACo84I.exe, 0000000B.00000003.2489340445.000000002106E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

ReversingLabs: Detection: 21%

Source: yyfBua979C0ZzSPnCxybIlhk.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /S .\TaFD.XRA
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe .\Install.exe /dlhwdidkpGO "525403" /S
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Process created: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp "C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp" /SL4 $B0024 "C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe" 3625196 52224
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBGPQMHF"
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process created: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe "C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -i
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe .\Install.exe /dlhwdidkpGO "525403" /S	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Process created: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp "C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp" /SL4 $B0024 "C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe" 3625196 52224
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /S .\TaFD.XRA
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBGPQMHF"
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process created: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe "C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fhsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msidle.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fhcfg.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: efsutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncasvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: httpprxp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wpdbusenum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceconnectapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: mozglue.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: winsta.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: sxs.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: amsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: samcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: sfc.dll
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: dxgidebug.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: riched20.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: usp10.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: msls31.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: pcacli.dll
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Static file information: File size 4008384 > 1048576

Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Static PE information: Raw size of .vmp(R is bigger than: 0x100000 < 0x39d000

Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbu source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2671952511.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.0000000004B48000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2684621508.00000000698A4000.00000002.00000001.01000000.00000028.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: BdeHdCfg.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: symsrv.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000C7A000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb;Cn source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.0000000001680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: r\x86\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2681483906.0000000006373000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Moq.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.PDB source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2586786006.0000000001338000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.0000000001680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: uic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2586786006.0000000001338000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: BdeHdCfg.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: symsrv.pdbGCTL source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000C7A000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.PDB source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2681483906.0000000006373000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdbSHA256 source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: dbghelp.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: Loader.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2495725172.000002D546A80000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000266000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2485404914.000002D546AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2102749607.000002262FB02000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104110962.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104275365.000002262FAAD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104927446.000002262FFEF000.00000004.00000020.00020000.00000000.sdmp, B0SLNTT0ZbIxZcHr0SHBJGEz.exe, 00000010.00000000.2244173110.0000000000312000.00000002.00000001.01000000.0000000E.sdmp, B0SLNTT0ZbIxZcHr0SHBJGEz.exe, 00000010.00000002.2431895922.0000000000312000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: yyfBua979C0ZzSPnCxybIlhk.exe, yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2654915199.0000000000ABB000.00000040.00000001.01000000.00000006.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000000.2240349104.00000000003F6000.00000080.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589762241.00000000003F6000.00000080.00000001.01000000.0000000A.sdmp
Source:	Binary string: Moq.pdbSHA256@ source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbJn source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: changepk.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002247000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: CameraSettingsUIHost.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2495725172.000002D546A80000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000266000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C0002EC000.00000004.00001000.00020000.00000000.sdmp, QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000003.2485404914.000002D546AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\projects\polly\src\Polly.Net45\obj\Release\net45\Polly.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbB# source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\projects\polly\src\Polly.Net45\obj\Release\net45\Polly.pdbjz source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: mscorlib.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: .pdb.dbg source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: AppInstallerBackgroundUpdate.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002143000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: change.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: AppInstallerBackgroundUpdate.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002143000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\constructicon\builds\gfx\three\20.10\drivers\2d\dal\eeu\build\client\wNow64a\B_rel\atieclxx.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: changepk.pdb source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002247000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CameraSettingsUIHost.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.0000000004A79000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2634159423.0000000004C04000.00000004.00000800.00020000.00000000.sdmp, Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2671952511.0000000005D8A000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: y\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb~~ source: Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2589163280.00000000016F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: change.pdbGCTL source: OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002217000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Unpacked PE file: 18.2.wjwNFr_3XWBVO8HOPBPzLGWO.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe	Unpacked PE file: 44.2.cddvdrunner2333.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.rview4:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe

Unpacked PE file: 44.2.cddvdrunner2333.exe.400000.0.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, e7EuwtGMnIvwifDxGE0.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, nbHRr4wrm68DvPGr2G8.cs	.Net Code: gIHi6nZTWj
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, nbHRr4wrm68DvPGr2G8.cs	.Net Code: H0XvE6l8vb

Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe.0.dr

Static PE information: 0x81E836EB [Mon Jan 24 10:54:35 2039 UTC]

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

Code function: 6_2_00938BB0 LoadLibraryA,GetProcAddress,

6_2_00938BB0

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp(R

Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_4004000

Source: 7725eaa6592c80f8124e769b4e8a07f7[1].exe.0.dr	Static PE information: real checksum: 0x42e5b5 should be: 0x42d3e3
Source: setup294[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x21765e
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x6b3228
Source: xNcVS_VvZEHfTUaNtkua55mf.exe.0.dr	Static PE information: real checksum: 0x42e5b5 should be: 0x432f23
Source: Fb9COhEBuDNRhtMnCgGo2QiL.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4a74cf
Source: setup[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x6b3228
Source: B0SLNTT0ZbIxZcHr0SHBJGEz.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x21765e
Source: f5PK0Fmcntr6Bz8d571_sPMM.exe.0.dr	Static PE information: real checksum: 0x42e5b5 should be: 0x42d3e3
Source: jToGBYVMqv5v7FLLCc3PnzZj.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x3d3d2c
Source: 060[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x3d3d2c
Source: cad54ba5b01423b1af8ec10ab5719d97[1].exe.0.dr	Static PE information: real checksum: 0x42e5b5 should be: 0x432f23
Source: M3c5GcarM7S9e4Fzg9fhkljA.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x644d0
Source: tNKXm3LImvO5in9OelWM8_lp.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x899e4

Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Static PE information: section name: _RDATA
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Static PE information: section name: .vmp(R
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Static PE information: section name: .themida
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Static PE information: section name: .vmp(R
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Static PE information: section name: .vmp(R
Source: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Static PE information: section name: .vmp(R
Source: setup294[1].exe.0.dr	Static PE information: section name: .didat
Source: B0SLNTT0ZbIxZcHr0SHBJGEz.exe.0.dr	Static PE information: section name: .didat
Source: setup[1].exe.0.dr	Static PE information: section name: .sxdata
Source: OPHZ4RYtForDNHqUKDzFdbyl.exe.0.dr	Static PE information: section name: .sxdata
Source: Default12_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr	Static PE information: section name: .themida
Source: Default12_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Default12_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr	Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr	Static PE information: section name: .themida
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr	Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr	Static PE information: section name: .vmp(R
Source: yyfBua979C0ZzSPnCxybIlhk.exe.0.dr	Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .themida
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr	Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr	Static PE information: section name: .themida
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr	Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr	Static PE information: section name: .vmp(R
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe.0.dr	Static PE information: section name: .vmp(R
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe.0.dr	Static PE information: section name: .xdata
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: section name:
Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr	Static PE information: section name: .themida
Source: 123p[1].exe.0.dr	Static PE information: section name: .00cfg
Source: 123p[1].exe.0.dr	Static PE information: section name: .text0
Source: 123p[1].exe.0.dr	Static PE information: section name: .text1
Source: 123p[1].exe.0.dr	Static PE information: section name: .text2
Source: Space1.9_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Space1.9_team[1].exe.0.dr	Static PE information: section name: .themida
Source: Space1.9_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Space1.9_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Space1.9_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr	Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr	Static PE information: section name: .themida
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr	Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr	Static PE information: section name: .vmp(R
Source: azloBsQlDmB56PqIarSd7g7V.exe.0.dr	Static PE information: section name: .vmp(R
Source: GDL7jRat1qTWaJDTi_iESGFr.exe.0.dr	Static PE information: section name: .00cfg
Source: GDL7jRat1qTWaJDTi_iESGFr.exe.0.dr	Static PE information: section name: .text0
Source: GDL7jRat1qTWaJDTi_iESGFr.exe.0.dr	Static PE information: section name: .text1
Source: GDL7jRat1qTWaJDTi_iESGFr.exe.0.dr	Static PE information: section name: .text2
Source: grabber[1].exe.0.dr	Static PE information: section name: _RDATA
Source: Honz_MBQI6vCkcbyCN3yB4rh.exe.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3A8CC push ebp; mov dword ptr [esp], eax	6_2_00E1412D
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3A8CC push edi; mov dword ptr [esp], ebp	6_2_00E1416B
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3A8CC push 3B40FFB0h; mov dword ptr [esp], ebp	6_2_00E141D6
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3A8CC push eax; mov dword ptr [esp], edi	6_2_00E141EB
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C340DD push 7FB76899h; mov dword ptr [esp], esp	6_2_00E2399F
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C340DD push edx; mov dword ptr [esp], edi	6_2_00E239BB
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C340DD push 725129A4h; mov dword ptr [esp], esp	6_2_00E239E1
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C340DD push 6BD64571h; mov dword ptr [esp], edi	6_2_00E23A4F
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C340DD push 5CD7A313h; mov dword ptr [esp], eax	6_2_00E23A83
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C340DD push edx; mov dword ptr [esp], edi	6_2_00E23B4E
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C340DD push eax; mov dword ptr [esp], ebp	6_2_00E23B7B
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3B0E6 push edi; mov dword ptr [esp], eax	6_2_00E26AB8
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3B0E6 push eax; mov dword ptr [esp], ebp	6_2_00E26BC3
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3908B push ecx; mov dword ptr [esp], edx	6_2_00E19021
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3908B push ebx; mov dword ptr [esp], eax	6_2_00E19044
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3908B push eax; mov dword ptr [esp], 194A00EBh	6_2_00E19057
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3908B push edi; mov dword ptr [esp], 00D6AF5Bh	6_2_00E19121
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3908B push 4A09B8EBh; mov dword ptr [esp], eax	6_2_00E19170
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C330BF push edi; mov dword ptr [esp], edx	6_2_00E16F99
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C330BF push 0242F1AFh; mov dword ptr [esp], ebx	6_2_00E16FCF
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C330BF push 176328ABh; mov dword ptr [esp], edi	6_2_00E16FE7
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C330BF push esi; mov dword ptr [esp], 5BB7B8A1h	6_2_00E1708F
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C330BF push 58BB0EE8h; mov dword ptr [esp], ecx	6_2_00E170B6
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C330BF push ebx; mov dword ptr [esp], edx	6_2_00E1712C
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3186E push 212322F7h; mov dword ptr [esp], eax	6_2_00E27B63
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3186E push esi; mov dword ptr [esp], ebp	6_2_00E27BC7
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C3186E push 76A7464Dh; mov dword ptr [esp], edx	6_2_00E27C23
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C34077 push ebp; mov dword ptr [esp], edi	6_2_00E1D8CB
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C34077 push ecx; mov dword ptr [esp], ebp	6_2_00E1D90B
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C34077 push edx; mov dword ptr [esp], 000AABD3h	6_2_00E1D97B
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_00C34077 push 0E20700Ch; mov dword ptr [esp], edx	6_2_00E1D9C2

Source: DLdiRYbSxUKrp0thTehxs0R7.exe.0.dr

Static PE information: section name: entropy: 7.999611881196484

Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, nbHRr4wrm68DvPGr2G8.cs	High entropy of concatenated method names: 'tm3JNKOfeW', 'dmaJ2LKJPv', 'z6oJOGdAkB', 'rGNJsT4K1w', 'hqWJQRmSLQ', 'kp6JCL917j', 'QOwJYYrNj7', 'Lj9w2n13yO', 'eJ2J8wCEuG', 'CU0JLqixeJ'
Source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, e7EuwtGMnIvwifDxGE0.cs	High entropy of concatenated method names: 'nwZuVFQvkC', 'g38PJ8K3c0', 'fpOulNOay4', 'tvNu1NQNXT', 'VZauNxh8gy', 'fCfu2lbAVZ', 'R1aBWr0WHY', 'L2UGSMfnEw', 'SQsGkNL33N', 'f5VGz55rr8'

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Jump to dropped file

Found pyInstaller with non standard icon

Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe

Process created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\123p[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\BdeHdCfg.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\lumma1504[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard\backend_c.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\python3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	File created: C:\Users\user\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\tQYsPom.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe	File created: C:\ProgramData\ImageGuide 3.1.33.66\ImageGuide 3.1.33.66.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\CameraSettingsUIHost.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	File created: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\exe\upx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer\md__mypyc.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32security.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\CD-DVD-Runner\libssl-1_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32net.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Space1.9_team[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\change.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\CD-DVD-Runner\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\CD-DVD-Runner\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\2eb29b48[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\grabber[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	File created: C:\Users\user\AppData\Local\Temp\TaFd.XRA	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32\pythoncom38.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\changepk.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\setup[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File created: C:\Users\user\AppData\Local\Temp\heidi4Oj_OpvPYvao\p508E0L2OxcFz21C_cBt.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Default12_team[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\select.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32wnet.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[2].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File created: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\python38.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\exe\netconn_properties.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\Users\user\AppData\Local\Temp\heidi4Oj_OpvPYvao\bynA5XZaUopLU9g6Euj0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\rules[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\CD-DVD-Runner\is-3TV13.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\7725eaa6592c80f8124e769b4e8a07f7[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer\md.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\exe\registers.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard\_cffi.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\CD-DVD-Runner\is-0MI7C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\CD-DVD-Runner\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\AppInstallerBackgroundUpdate.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	File created: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\AdobeUpdaterV1.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\setup294[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\AdobeUpdaterV1.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\CD-DVD-Runner\is-FD6NC.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\DEC.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\lumma1504[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\timeSync[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fcegbwt	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\060[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	File created: C:\Users\user\AppData\Local\CD-DVD-Runner\is-3KPDG.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File created: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\atieclxx.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File created: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe	File created: C:\ProgramData\ImageGuide 3.1.33.66\ImageGuide 3.1.33.66.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File created: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	File created: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File created: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	File created: C:\Users\user\AppData\Local\Temp\TaFd.XRA			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fcegbwt			Jump to dropped file

Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\128.png	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\manifest.json	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\performance.js	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\popup.css	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\popup.html	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\popup.js	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\worker.js	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\_metadata	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\_metadata\verified_contents.json	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings	Jump to behavior

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Window searched: window name: RegmonClass

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c

Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBGPQMHF"

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\fcegbwt:Zone.Identifier read attributes | delete

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Memory written: PID: 1576 base: 7FF8C8A50008 value: E9 EB D9 E9 FF
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Memory written: PID: 1576 base: 7FF8C88ED9F0 value: E9 20 26 16 00

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

Code function: 6_2_009A1A30 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_009A1A30

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Fb9COhEBuDNRhtMnCgGo2QiL.exe PID: 4068, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Found API chain indicative of sandbox detection

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

graph_6-27031

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

graph_6-27032

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

Stalling execution: Execution stalls by calling Sleep

graph_6-26305

Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)

Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Fan

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PortConnector
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_Slot

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Queries temperature or sensor information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_NumericSensor
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_Sensor
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_TemperatureSensor
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PerfFormattedData_Counters_ThermalZoneInformation

Queries voltage information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_VoltageSensor

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wjwNFr_3XWBVO8HOPBPzLGWO.exe, 00000012.00000002.2710664530.0000000002E9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: M3c5GcarM7S9e4Fzg9fhkljA.exe, 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Special instruction interceptor: First address: 7FF77F1DCDCA instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Special instruction interceptor: First address: 4F3339 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Special instruction interceptor: First address: F3E827 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Special instruction interceptor: First address: 576957 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Special instruction interceptor: First address: BCF9B7 instructions caused by: Self-modifying code

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Memory allocated: 1A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Memory allocated: 33B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Memory allocated: 30E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1510000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4FB0000 memory reserve \| memory write watch

Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

6_2_0097D9F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1267
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 452

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_6-26318

Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\BdeHdCfg.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\lumma1504[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard\backend_c.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\python3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\CameraSettingsUIHost.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\exe\upx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer\md__mypyc.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32security.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32net.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Dropped PE file which has not been started: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\change.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32\pythoncom38.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\TaFd.XRA	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\changepk.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32wnet.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\select.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Dropped PE file which has not been started: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\python38.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\exe\netconn_properties.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidi4Oj_OpvPYvao\bynA5XZaUopLU9g6Euj0.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\is-3TV13.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer\md.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard\_cffi.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\exe\registers.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\is-0MI7C.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0T16J.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\AppInstallerBackgroundUpdate.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\_queue.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\AdobeUpdaterV1.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\is-FD6NC.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DEC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\lumma1504[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\CD-DVD-Runner\is-3KPDG.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\atieclxx.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56642\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe TID: 6536	Thread sleep count: 286 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe TID: 6536	Thread sleep time: -57200s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe TID: 4308	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe TID: 4616	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe TID: 5696	Thread sleep count: 134 > 30	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe TID: 1568	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe TID: 2068	Thread sleep count: 58 > 30
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe TID: 2068	Thread sleep count: 60 > 30
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe TID: 2068	Thread sleep count: 61 > 30
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe TID: 408	Thread sleep count: 122 > 30
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe TID: 408	Thread sleep count: 224 > 30
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe TID: 4580	Thread sleep count: 41 > 30
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe TID: 408	Thread sleep count: 111 > 30
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe TID: 2300	Thread sleep count: 45 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7864	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2928	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File opened: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File opened: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.0000000000698000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: svchost.exe, 00000004.00000003.2043499640.000001FA30845000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2513974085.0000000006AB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.000000000068A000.00000004.00000020.00020000.00000000.sdmp, yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Hrpxb3VVNyjyS2Of2WrcJREY.exe, 0000000F.00000003.2444818155.0000000001321000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2648077707.000002D501448000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: rvzZmTKhzLAk54H0OO5fg4xv.exe, 0000000E.00000003.2432316204.0000000002DAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}i
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: rvzZmTKhzLAk54H0OO5fg4xv.exe, 0000000E.00000003.2432316204.0000000002DB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}(
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2602826536.0000000006AC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: main.isRunningInsideVMWare
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000003.2591934723.00000000006A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000002.00000002.2415447370.000001FDBA202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.000000000068A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&+
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2505598874.0000000006AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe

API call chain: ExitProcess graph end node

graph_7-58541

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe

System information queried: CodeIntegrityInformation

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Process queried: DebugPort

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe

Code function: 7_2_6988B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_6988B144

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

Code function: 6_2_00938BB0 LoadLibraryA,GetProcAddress,

6_2_00938BB0

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_0097D9F0 mov eax, dword ptr fs:[00000030h]	6_2_0097D9F0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_0097D9F0 mov eax, dword ptr fs:[00000030h]	6_2_0097D9F0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_0093AB90 mov eax, dword ptr fs:[00000030h]	6_2_0093AB90
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_009360B0 mov ecx, dword ptr fs:[00000030h]	6_2_009360B0
Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Code function: 6_2_009346B0 mov eax, dword ptr fs:[00000030h]	6_2_009346B0

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

Code function: 6_2_009294C0 OutputDebugStringA,GetModuleHandleA,GetProcAddress,GetProcessHeap,HeapAlloc,HeapFree,HeapAlloc,HeapFree,

6_2_009294C0

Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Process token adjusted: Debug
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Process token adjusted: Debug

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6988B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		7_2_6988B144
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Code function: 7_2_6988948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_6988948B

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: fcegbwt.48.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 172.67.196.94 443
Source: C:\Windows\explorer.exe	Network Connect: 186.10.34.51 80

Allocates memory in foreign processes

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2530000 protect: page execute and read and write
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe

Thread created: C:\Windows\explorer.exe EIP: 31819D0

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware			Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtQuerySystemInformation: Indirect: 0x7FF77F3C4DA5	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtSetInformationThread: Indirect: 0x7FF77F42E2A5	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtQueryInformationProcess: Indirect: 0x7FF77F41DA6B	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	NtProtectVirtualMemory: Direct from: 0x141036FB5
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	NtProtectVirtualMemory: Direct from: 0x140FE889D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F5BD6CC	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	NtProtectVirtualMemory: Direct from: 0x1416CF1D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F62EF94	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	NtProtectVirtualMemory: Indirect: 0x140F595B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F877A52	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	NtMapViewOfSection: Direct from: 0x14100CB88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F61D9A5	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F7D87EC	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	NtProtectVirtualMemory: Direct from: 0x1416AD85D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F6310E6	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F548F53	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F7D726F	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F5B98FD	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	NtOpenFile: Direct from: 0x140FBB569
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F7D86D9	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	NtProtectVirtualMemory: Direct from: 0x14102BFF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtQueryInformationProcess: Indirect: 0x7FF77F41DB99	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F7B8033	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	NtProtectVirtualMemory: Direct from: 0x141037F5D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	NtProtectVirtualMemory: Direct from: 0x7FF77F5522E2	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	NtProtectVirtualMemory: Direct from: 0x141019C6D
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	NtProtectVirtualMemory: Direct from: 0x141699636

Injects a PE file into a foreign processes

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2530000 value starts with: 4D5A
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: wifeplasterbakewis.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: mealplayerpreceodsju.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: bordersoarmanusjuw.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: suitcaseacanehalk.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: absentconvicsjawun.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pushjellysingeywus.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: economicscreateojsu.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: entitlementappwo.shop
Source: QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2623770026.000000C000360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stripmarrystresew.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Documents\SimpleAdobe\wjwNFr_3XWBVO8HOPBPzLGWO.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read

Sample uses process hollowing technique

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 464000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4C0000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EC7008
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2530000
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 26F4008
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 642000
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B2E008

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /S .\TaFD.XRA
Source: C:\Users\user\Documents\SimpleAdobe\tNKXm3LImvO5in9OelWM8_lp.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\M3c5GcarM7S9e4Fzg9fhkljA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe

Code function: 7_2_698884B0 cpuid

7_2_698884B0

Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\QnkREgWvOVM7UiM40Bqj5sWB.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\certifi VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\lockfile VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\ucrtbase.dll VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_ctypes.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_bz2.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_lzma.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nyv8h1dp VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpx_3rmj6g VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32\pywintypes38.dll VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32\pythoncom38.dll VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32api.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpx_3rmj6g VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpx_3rmj6g\gen_py\__init__.py VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpx_3rmj6g\gen_py\dicts.dat VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_socket.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\select.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\psutil VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\psutil VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\psutil VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\psutil\_psutil_windows.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32net.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32\win32security.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_hashlib.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_ssl.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\zstandard\backend_c.cp38-win_amd64.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\_queue.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer\md.cp38-win_amd64.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\charset_normalizer\md__mypyc.cp38-win_amd64.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\unicodedata.pyd VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\pywin32_system32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\win32 VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56642\base_library.zip VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe VolumeInformation

Source: C:\Users\user\Documents\SimpleAdobe\yyfBua979C0ZzSPnCxybIlhk.exe

Code function: 6_2_009FC84D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

6_2_009FC84D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{33071919-2175-4F9E-8105-BEAE0C730BFE}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{797FD966-CE70-43C0-B62D-A8420EB91151}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Registry value created: Exclusions_Extensions 1			Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	Registry value created: Exclusions_Extensions 1			Jump to behavior

Modifies Group Policy settings

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Modifies power options to not sleep / hibernate

Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\Documents\SimpleAdobe\xNcVS_VvZEHfTUaNtkua55mf.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\Documents\SimpleAdobe\f5PK0Fmcntr6Bz8d571_sPMM.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Glupteba

Source: Yara match	File source: 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xNcVS_VvZEHfTUaNtkua55mf.exe PID: 2140, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2314453573.0000000000B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2634159423.000000000452B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.82dad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.82dad0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2634159423.000000000452B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2302959218.000000000082D000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tNKXm3LImvO5in9OelWM8_lp.exe PID: 1628, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 6.2.yyfBua979C0ZzSPnCxybIlhk.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.azloBsQlDmB56PqIarSd7g7V.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.2518467991.0000000006B38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2518348325.0000000006AC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2602141465.000000000671F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yyfBua979C0ZzSPnCxybIlhk.exe PID: 6776, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\24PnbHlLLJLpyXRdC6DO5Pg.zip, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2710518558.0000000002DE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fedad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fedad0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2314453573.0000000000B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: M3c5GcarM7S9e4Fzg9fhkljA.exe PID: 1272, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe, type: DROPPED

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Remote Access Functionality

Yara detected Glupteba

Source: Yara match	File source: 00000008.00000001.2312742116.0000000000843000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xNcVS_VvZEHfTUaNtkua55mf.exe PID: 2140, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2314453573.0000000000B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2634159423.000000000452B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.82dad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.tNKXm3LImvO5in9OelWM8_lp.exe.82dad0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2634159423.000000000452B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2302959218.000000000082D000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2634159423.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tNKXm3LImvO5in9OelWM8_lp.exe PID: 1628, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 6.2.yyfBua979C0ZzSPnCxybIlhk.exe.920000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.azloBsQlDmB56PqIarSd7g7V.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000003.2518467991.0000000006B38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2518348325.0000000006AC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2602141465.000000000671F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yyfBua979C0ZzSPnCxybIlhk.exe PID: 6776, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\24PnbHlLLJLpyXRdC6DO5Pg.zip, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 00000012.00000002.2710206756.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2710518558.0000000002DE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fedad0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fedad0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.M3c5GcarM7S9e4Fzg9fhkljA.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.8q5xyu0coQILTrboZdACo84I.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2314453573.0000000000B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: M3c5GcarM7S9e4Fzg9fhkljA.exe PID: 1272, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Fb9COhEBuDNRhtMnCgGo2QiL.exe.45ec010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.Fb9COhEBuDNRhtMnCgGo2QiL.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe, type: DROPPED

Source: C:\Users\user\Documents\SimpleAdobe\Fb9COhEBuDNRhtMnCgGo2QiL.exe

Code function: 7_2_6983A0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress,

7_2_6983A0C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
1 Software	Acquire Infrastructure	Valid Accounts	1041 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	51 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	11 Windows Service	1 DLL Side-Loading	111 Deobfuscate/Decode Files or Information	1 Credential API Hooking	3 File and Directory Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Browser Extensions	1 Bypass User Account Control	1 Abuse Elevation Control Mechanism	11 Input Capture	366 System Information Discovery	SMB/Windows Admin Shares	3 Data from Local System	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Exploitation for Client Execution	1 Scheduled Task/Job	11 Windows Service	4 Obfuscated Files or Information	1 Credentials in Registry	2291 Security Software Discovery	Distributed Component Object Model	1 Email Collection	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	711 Process Injection	1 Install Root Certificate	LSA Secrets	1 Process Discovery	SSH	1 Credential API Hooking	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 Scheduled Task/Job	RC Scripts	1 Scheduled Task/Job	43 Software Packing	Cached Domain Credentials	1081 Virtualization/Sandbox Evasion	VNC	11 Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	1 Service Execution	Startup Items	11 Registry Run Keys / Startup Folder	1 Timestomp	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	1 PowerShell	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Masquerading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1081 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	711 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Files and Directories	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	21%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	100%	Avira	TR/AD.Nekark.sbdpe
C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe	100%	Avira	TR/AD.Nekark.sbdpe
C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	100%	Joe Sandbox ML
C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe	100%	Joe Sandbox ML
C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\ImageGuide 3.1.33.66\ImageGuide 3.1.33.66.exe	100%	Joe Sandbox ML
C:\ProgramData\ImageGuide 3.1.33.66\ImageGuide 3.1.33.66.exe	49%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe	33%	ReversingLabs	Win32.Trojan.Privateloader
C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	88%	ReversingLabs	Win64.Trojan.Privateloader
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\AdobeUpdaterV1.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
C:\Users\user\AppData\Local\AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\AdobeUpdaterV1.exe	33%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
C:\Users\user\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe	49%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\CD-DVD-Runner\is-0MI7C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\CD-DVD-Runner\is-3KPDG.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\CD-DVD-Runner\is-3TV13.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\CD-DVD-Runner\libeay32.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\CD-DVD-Runner\libssl-1_1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\CD-DVD-Runner\ssleay32.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\grabber[1].exe	16%	ReversingLabs	Win64.Malware.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\lumma1504[1].exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqln[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\123p[1].exe	88%	ReversingLabs	Win64.Trojan.Privateloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Space1.9_team[1].exe	30%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\lumma1504[1].exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\060[1].exe	27%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Default12_team[1].exe	34%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[1].exe	33%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[2].exe	33%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\timeSync[1].exe	30%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\AppInstallerBackgroundUpdate.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\BdeHdCfg.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\CameraSettingsUIHost.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe	34%	ReversingLabs	Win32.Adware.Generic
C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\atieclxx.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\change.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\changepk.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\tQYsPom.exe	34%	ReversingLabs	Win32.Adware.Generic
C:\Users\user\AppData\Local\Temp\DEC.exe	96%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56642\MSVCP140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin\mfc140u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56642\Pythonwin\win32ui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56642\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56642\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56642\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56642\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56642\_elementtree.pyd	0%	ReversingLabs

Name	Malicious	Antivirus Detection	Reputation
http://sodez.ru/tmp/index.php	true
economicscreateojsu.shop	true
entitlementappwo.shop	true
http://uama.com.ua/tmp/index.php	true
bordersoarmanusjuw.shop	true
http://talesofpirates.net/tmp/index.php	true

URLs from Memory and Binaries

Name	Source	Malicious
http://5.42.66.10/download/page_error.png	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false
http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopResponseR	Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	false
https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe.exe	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.139/dacha/rules.exe	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	false
https://sun6-21.userapi.com/c236331/u5294803/docs/d24/3cad94b79c70/imgdrive_2_1.bmp?extra=KSt_51f-h8	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	false
https://palberryslicker.sbs/	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	false
https://papi.vk.com/pushsse/ruim	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153658618.000002262F7EB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://meet.crazyfigs.top/2	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	false
https://baldurgatez.com/	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.google.com/	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	false
https://ipinfo.io:443/widget/demo/81.181.57.52c	yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.00000000006B6000.00000004.00000020.00020000.00000000.sdmp	false
https://vk.com	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp	false
https://www.instagram.com	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	false
https://st6-22.vk.com/dist/web/docs.20074c02.css	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://aui-cdn.atlassian.com/	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262F9FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103595029.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	false
http://5.42.66.10:80/download/page_error.pngZZ	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp	false
http://www.innosetup.com	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108082037.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108180577.000002262FA3C000.00000004.00000020.00020000.00000000.sdmp, jToGBYVMqv5v7FLLCc3PnzZj.exe, 0000000D.00000000.2240084953.0000000000410000.00000002.00000001.01000000.00000012.sdmp	false
http://5.42.66.10:80/api/flash.php	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false
http://ACVC.WPF.Service.WcfT	Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	false
http://193.233.132.253/lumma1504.exe	azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E48000.00000004.00000020.00020000.00000000.sdmp	false
https://api.ip.sb/ip	tNKXm3LImvO5in9OelWM8_lp.exe, 00000011.00000002.2302959218.000000000082D000.00000004.00000001.01000000.00000010.sdmp	false
https://st6-22.vk.com/dist/web/ui_common.88618847.js	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://chrome.google.com/webstore	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	false
https://drive-daily-2.corp.google.com/	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	false
https://iplogger.org:443/1nhuM4.js	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	false
https://st6-22.vk.com/dist/web/page_layout.7b5800c2.js	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://st6-22.vk.com/dist/web/polyfills.isolated.edaffb7b.js	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://t.me/RiseProSUPPORT	yyfBua979C0ZzSPnCxybIlhk.exe, 00000006.00000002.2653655280.000000000063E000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.203/dl.php(	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	false
http://5.42.66.10/	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false
http://www.symauth.com/cps0(	OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	false
https://bbuseruploads.s3.amazonaws.com/8b0be658-c958-47a3-96e4-fc8e5fe7c5dc/downloads/dc50f97b-477f-	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2112981350.000002262FA85000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA04000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108180577.000002262FA93000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168867567.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2104775379.000002262FA8A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://drive-daily-1.corp.google.com/	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	false
https://drive-daily-5.corp.google.com/	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	false
http://5.42.66.10/download/page_error.png.	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false
http://https://_bad_pdb_file.pdb	xNcVS_VvZEHfTUaNtkua55mf.exe, 00000008.00000001.2312742116.0000000000ACD000.00000004.00000001.01000000.00000008.sdmp	false
https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp	false
https://stats.vk-portal.net	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://page-error.comJ	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513255238.0000000003787000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513294818.000000000378A000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513385608.0000000003790000.00000004.00000020.00020000.00000000.sdmp	false
https://meet.crazyfigs.top/style/060.exep/0/6	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	false
http://127.0.0.1:	Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	false
https://st6-22.vk.com/css/al/fonts_utf.7fa94ada.css	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://ipinfo.io/	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E06000.00000004.00000020.00020000.00000000.sdmp, azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E48000.00000004.00000020.00020000.00000000.sdmp	false
https://st6-22.vk.com/dist/web/common_web.6a09f0e1.js	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
http://www.symauth.com/rpa00	OPHZ4RYtForDNHqUKDzFdbyl.exe, 0000000A.00000003.2319633989.0000000002150000.00000004.00000020.00020000.00000000.sdmp	false
https://r.mradx.net	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	false
https://st6-22.vk.com/dist/web/unauthorized.20074c02.css	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://cdn.cookielaw.org/	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103226461.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103034067.000002262F9FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103595029.000002262FA11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	false
https://iplis.ru/_F	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000003.2497090817.000000000675A000.00000004.00000020.00020000.00000000.sdmp	false
https://chromewebstore.google.com/	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513717785.0000000003783000.00000004.00000020.00020000.00000000.sdmp	false
https://monoblocked.com:80/525403/setup.exen$	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	false
https://palberryslicker.sbs/r	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	false
https://drive-preprod.corp.google.com/	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513221526.0000000003798000.00000004.00000020.00020000.00000000.sdmp	false
https://urn.to/r/sds_see	Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000002.2628063256.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false
https://chrome.google.com/webstore/	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513717785.0000000003783000.00000004.00000020.00020000.00000000.sdmp	false
https://st6-22.vk.com/dist/web/raven_logger.ea0a2239.js	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.203/dl.php.exe	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	false
https://sandbox.google.com/	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2513255238.0000000003787000.00000004.00000020.00020000.00000000.sdmp	false
https://static.vk.me	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	false
https://sun6-21.userapi.com/p	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142139632.000002262FA0E000.00000004.00000020.00020000.00000000.sdmp	false
http://193.233.132.253/lumma1504.exen%$	azloBsQlDmB56PqIarSd7g7V.exe, 00000016.00000002.2600009840.0000000001E48000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/moq/moq4	Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	false
https://st6-22.vk.com/dist/web/chunks/react.759f82b6.js	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://t.me/irfailAt	M3c5GcarM7S9e4Fzg9fhkljA.exe, 00000015.00000002.2292795591.0000000000FED000.00000004.00000001.01000000.00000014.sdmp	false
https://monoblocked.com/525403/setup.exenet/	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	false
https://iplis.ru/s	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	false
http://5.42.66.10:80/api/flash.php3	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	false
https://st6-22.vk.com	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153636596.000002262FAA7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153762628.000002262F7D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA73000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168948070.000002262FA5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FAA4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://iplis.ru/	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false
https://iplis.ru:443/1pRXr7.txt	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	false
https://iplogger.org/	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp	false
https://ipinfo.io/namehttps://ipgeolocation.io/:	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2589232742.00000000002FF000.00000002.00000001.01000000.0000000A.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000003.2411267986.0000000000E60000.00000004.00001000.00020000.00000000.sdmp	false
https://carthewasher.net/	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp	false
https://monoblocked.com/	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103641640.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2103387031.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	false
https://st6-22.vk.com/dist/web/performance_observers.4d12f60f.js	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
http://5.42.66.10/download/page_error.jpeg	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp	false
https://cdn.ampproject.org	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp	false
https://management.core.usgovcloudapi.netGODEBUG	QnkREgWvOVM7UiM40Bqj5sWB.exe, 00000014.00000002.2682443950.00007FF6563F9000.00000002.00000001.01000000.00000013.sdmp	false
https://st6-22.vk.com/css/al/vk_sans_display_faux.7d208ecb.css	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://monoblocked.com/525403/setup.exe	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140162487.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2113407483.000002262FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2110942258.000002262FA82000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2112684823.000002262FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108279479.000002262FA62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153701038.000002262F7F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2129457218.000002262F807000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2142500568.000002262F805000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140516709.000002262F7F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108740822.000002262FA82000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2122517096.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140554515.000002262F804000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2140478198.000002262F7EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108180577.000002262FA61000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2115459164.000002262FA7E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2108397207.000002262FA80000.00000004.00000020.00020000.00000000.sdmp	false
https://iplis.ru/1tqHh7.mp3	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp, DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	false
https://st6-22.vk.com/dist/web/chunks/vkui.bce4c996.js	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://iplis.ru/R	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	false
https://iplis.ru/P	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false
https://baldurgatez.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe;2	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F7ED000.00000004.00000020.00020000.00000000.sdmp	false
https://st6-22.vk.com/dist/web/jobs_devtools_notification.14f96f02.js	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://www.security.us.panasonic.com	Fb9COhEBuDNRhtMnCgGo2QiL.exe, 00000007.00000000.2237816859.0000000000AF2000.00000002.00000001.01000000.00000007.sdmp	false
http://5.42.66.10/rIMa	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.00000000037B2000.00000004.00000020.00020000.00000000.sdmp	false
http://5.42.66.10/download/th/retail.php12.php	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2094424127.000002262F81A000.00000004.00000020.00020000.00000000.sdmp	false
http://5.42.66.10/download/page_error.jpegF3	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2592639535.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	false
https://st6-22.vk.com/dist/web/chunks/audioplayer-lib.93b52d88.css	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://st6-22.vk.com/dist/web/site_layout.20074c02.css	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168705727.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153119533.000002262FC23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152524641.000002262FE7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2152745201.000002262FC22000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2168162607.000002262FBE1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, 00000000.00000003.2153520987.000002262FA8D000.00000004.00000020.00020000.00000000.sdmp	false
https://iplis.ru:443/1BV4j7.mp4O	DLdiRYbSxUKrp0thTehxs0R7.exe, 00000009.00000002.2594870713.0000000003770000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.233.132.139	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
34.117.186.192	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
104.26.9.59	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.196.94	unknown	United States	13335	CLOUDFLARENETUS	true
52.216.50.177	unknown	United States	16509	AMAZON-02US	false
37.221.125.202	unknown	Lithuania	62416	PTSERVIDORPT	false
172.67.216.172	unknown	United States	13335	CLOUDFLARENETUS	false
18.205.93.1	unknown	United States	14618	AMAZON-AESUS	false
193.233.132.253	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
87.240.137.164	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
23.76.43.59	unknown	United States	19037	AMXArgentinaSAAR	false
172.67.161.113	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.132.113	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.169.146	unknown	United States	13335	CLOUDFLARENETUS	false
95.142.206.0	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
5.42.65.50	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true
147.45.47.93	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
95.142.206.1	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
104.21.63.150	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.207.236	unknown	United States	13335	CLOUDFLARENETUS	false
37.27.87.155	unknown	Iran (ISLAMIC Republic Of)	39232	UNINETAZ	false
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
193.233.132.226	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
109.175.29.39	unknown	Bosnia and Herzegowina	9146	BIHNETBIHNETAutonomusSystemBA	false
186.10.34.51	unknown	Chile	6471	ENTELCHILESACL	true
185.172.128.23	unknown	Russian Federation	50916	NADYMSS-ASRU	true
104.26.4.15	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.5.28	unknown	United States	13335	CLOUDFLARENETUS	false
5.42.66.10	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
104.21.91.214	unknown	United States	13335	CLOUDFLARENETUS	false
45.130.41.108	unknown	Russian Federation	198610	BEGET-ASRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428462
Start date and time:	2024-04-19 00:39:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@214/396@0/31
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Execution Graph export aborted for target DLdiRYbSxUKrp0thTehxs0R7.exe, PID 368 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Simulations

Behavior and APIs

Time	Type	Description
00:40:20	API Interceptor	18x Sleep call for process: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe modified
00:40:23	API Interceptor	1x Sleep call for process: Fb9COhEBuDNRhtMnCgGo2QiL.exe modified
00:40:29	API Interceptor	1x Sleep call for process: GDL7jRat1qTWaJDTi_iESGFr.exe modified
00:40:34	API Interceptor	6x Sleep call for process: xNcVS_VvZEHfTUaNtkua55mf.exe modified
00:40:34	API Interceptor	5x Sleep call for process: f5PK0Fmcntr6Bz8d571_sPMM.exe modified
00:40:35	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
00:40:35	API Interceptor	986x Sleep call for process: explorer.exe modified
00:40:35	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
00:40:39	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
00:40:41	API Interceptor	89x Sleep call for process: RegAsm.exe modified
00:40:46	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
00:40:50	Task Scheduler	Run new task: bwrroZoeZRoQVpyAcj path: C:\Users\user\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\tQYsPom.exe s>ZO /wWsite_idlDp 525403 /S
00:40:54	Task Scheduler	Run new task: MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c HR path: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe
00:40:54	Task Scheduler	Run new task: MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c LG path: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe
00:40:57	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe
00:41:09	Task Scheduler	Run new task: gzsSiudEb path: powershell s>-WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
00:41:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe
00:41:25	Task Scheduler	Run new task: Firefox Default Browser Agent 810E7727233AE4AD path: C:\Users\user\AppData\Roaming\fcegbwt
00:41:30	Task Scheduler	Run new task: qXnxKrbPbFSTFetyh path: C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\oPANMoY.exe s>ob /tVsite_idNXL 525403 /S
00:41:44	Task Scheduler	Run new task: MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe HR path: C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe
00:41:45	Task Scheduler	Run new task: MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe LG path: C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe
00:41:47	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe C:\Users\user\AppData\Local\AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\AdobeUpdaterV1.exe
00:41:48	Task Scheduler	Run new task: MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec HR path: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe
00:41:51	Task Scheduler	Run new task: MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec LG path: C:\ProgramData\MSIUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\MSIUpdaterV1.exe
00:41:58	Task Scheduler	Run new task: NetXkRqHZJDfE2 path: C:\Windows\system32\forfiles.exe s>/p C:\Windows\system32 /m wscript.exe /c "cmd /C @FNAME ^"C:\ProgramData\mMAjWdbxOIjSziVB\gvsoDQy.wsf^""
00:42:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec C:\Users\user\AppData\Local\AdobeUpdaterV1_5fc4ccc1a69cead8abaf9c75121d8fec\AdobeUpdaterV1.exe

Process:	C:\Users\user\Documents\SimpleAdobe\8q5xyu0coQILTrboZdACo84I.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\rvzZmTKhzLAk54H0OO5fg4xv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	921600
Entropy (8bit):	7.559067836582103
Encrypted:	false
SSDEEP:	24576:qqTm7F2KYgS5KTXxvmwT5aL4P8zre91t9olr:2FXO5KTXZJ0LOAatmr
MD5:	65BE3195B801D271E01D41F7BF576BD8
SHA1:	9E20D649EE0884F8800EF67315CAF56C7A6EAA03
SHA-256:	EE877A4CAEC81C88DDD006C50A8196EADABE873CC6456ECF0D93150E839BC915
SHA-512:	C84A1863AAECE69B04BEACCD20BF74B1F5BB691D8B401E8613BAD717F5E5A94940E1B129B33AE3EB62E2D62EA988E904388F2E3B1AC35828B4441800FACF6F4C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%S..D=P.D=P.D=P...P.D=P...P.D=P...P.D=P.FP.D=P.D<P.D=P...P.D=P...P.D=P...P.D=PRich.D=P................PE..L...Z^.d...........................N.............@..........................@..............................................<...<....`..................................................................@............................................text.............................. ..`.rdata..de.......f..................@..@.data.....~..0......................@....tls.........P.......,..............@....rsrc........`.......6..............@..@................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\Hrpxb3VVNyjyS2Of2WrcJREY.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	315904
Entropy (8bit):	7.9900301024348765
Encrypted:	true
SSDEEP:	6144:DVa+NrJiVBc2wc6oKXwdUWFQg1SGWEWAMiY7ivtaqgntTZXHAYq7:J1NrJaBcOOiHWEWAMFKtdstTfq
MD5:	C60F5FA3A579BCA2C8C377F7E15B2221
SHA1:	D44B5C6DD64284F00D6F9D05CF5327A91CAD9339
SHA-256:	F5913E753281DBDF88F36C73D13AFBF4AF62046E25F8E148E87A80E88818C4D7
SHA-512:	F419ADF4BD07CE18D9B7DE7445B2D0185653DE27738FD4403F880EE11BF49CA8A1958C1B2C94F8F4C5DA52EBC79462CFB6FE71849439F6AF017A95B44AF2F77B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5..........."...0.............~2... ........@.. .......................@............`.................................,2..O............................ .......1..8............................................ ............... ..H............text...H.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................`2......H........$.................................................................]....0..#.........i. .......... .............+B.....- ....d....(....(...............+.......(...........o......X.. ....2.....+7. ....... ..............XX.. ....]...................X.. ....2........+f...+T..X ....].....X ....]...........&...................X ....]..........%G....a.R...X......i2....X.....2....................(....n .........%.....(..........0..H.........89.....P......%G ....X.R.P....

Process:	C:\Users\user\Documents\SimpleAdobe\azloBsQlDmB56PqIarSd7g7V.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	315904
Entropy (8bit):	7.9900301024348765
Encrypted:	true
SSDEEP:	6144:DVa+NrJiVBc2wc6oKXwdUWFQg1SGWEWAMiY7ivtaqgntTZXHAYq7:J1NrJaBcOOiHWEWAMFKtdstTfq
MD5:	C60F5FA3A579BCA2C8C377F7E15B2221
SHA1:	D44B5C6DD64284F00D6F9D05CF5327A91CAD9339
SHA-256:	F5913E753281DBDF88F36C73D13AFBF4AF62046E25F8E148E87A80E88818C4D7
SHA-512:	F419ADF4BD07CE18D9B7DE7445B2D0185653DE27738FD4403F880EE11BF49CA8A1958C1B2C94F8F4C5DA52EBC79462CFB6FE71849439F6AF017A95B44AF2F77B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5..........."...0.............~2... ........@.. .......................@............`.................................,2..O............................ .......1..8............................................ ............... ..H............text...H.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................`2......H........$.................................................................]....0..#.........i. .......... .............+B.....- ....d....(....(...............+.......(...........o......X.. ....2.....+7. ....... ..............XX.. ....]...................X.. ....2........+f...+T..X ....].....X ....]...........&...................X ....]..........%G....a.R...X......i2....X.....2....................(....n .........%.....(..........0..H.........89.....P......%G ....X.R.P....

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	95236
Entropy (8bit):	3.0884087275393495
Encrypted:	false
SSDEEP:	1536:zMd3Gz3OB2gkoK5DMxgvL7KZLXmcA6VNXxaq+x736+b+X+3+Z+2+3evg+DU+5+3Q:zMd3Gz3OB2gkoK5DMxgvL7KZLXmcA6VF
MD5:	CE24E00319FC8E20FF38AECD2632EE7C
SHA1:	91B932E02D92CF7849FD78CC7862E5571DD10187
SHA-256:	43B5333F5BA88E4CB8299177A754B0FA2C4C0B1E97CFF5E1E758CA5654C50BC6
SHA-512:	BA53FEAA725CEA1BCE3676D963F57A246DE2386CB5A5ABD9B3FC08FBD30C5B74149F959EDB5FF949A67A7D2BE4717F6AF77E54BCC4EFC125BC8D8893E0355538
Malicious:	false
Reputation:	unknown
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

Process:	C:\Users\user\Documents\SimpleAdobe\GDL7jRat1qTWaJDTi_iESGFr.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11214848
Entropy (8bit):	7.97772484802616
Encrypted:	false
SSDEEP:	196608:oPnV1Bk/fRaGxUCBIORz5Z2YoZX0tMmp6tgq1D//XxdgPxwdT:oPKfR/UCBF+dZX0tMft/vxdgpG
MD5:	B091C4848287BE6601D720997394D453
SHA1:	9180E34175E1F4644D5FA63227D665B2BE15C75B
SHA-256:	D0B06CA6ECE3FEF6671FA8ACD3D560A9400891ABCD10F5CEDCFE7BD1E6050DFE
SHA-512:	A3B3663FD343389AEE2CBF76F426401D436992B2B56CEA3B60E9C2E385510FA874FA45B2AC75703074F0303934C4223EAEE1983851374A2E753FD0302042CC5A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....L.f..........#.................y..........@.............................@............ ...................................................f.d.......X,..`...*...........................................v..(... ..8...............h............................text....~.......................... ..`.rdata..............................@..@.data...h...........................@....pdata..............................@..@.00cfg..............................@..@.tls................................@....text0...4+......................... ..`.text1..8...........................@....text2..\... .....................`..h.rsrc...X,.........................@..@........................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\is-1I1LT.tmp\is-RKCCV.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	3948834
Entropy (8bit):	6.382123082161787
Encrypted:	false
SSDEEP:	98304:3egaBHXr8oHOIlk8TlTwGRWH9M5odueM6V:FaBHRz2djueZ
MD5:	00B640E64C35C1E3F7AD1CB9A979BF2E
SHA1:	FDAC8B1FCA30576355B38345E045601EC2BA41E2
SHA-256:	A2CE846A84F5BD3D1CB8C0449915508DFCA1F67F6CC12A435F17A411E5D48012
SHA-512:	B2C94D43A899490864F17246CB8254EF44EDB6AE76A23EB3AC369B5391E7F42BE6D6BC816E9E0A1487E841AF2C5E801FB9070E42A04810D01AC1A81DEF715C1C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 49%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^.....................`.......u............@...........................<.............................................\........p...............................................................................................................text............................... ..`.rdata...6.......@..................@..@.data....T.......0..................@....rsrc........p.......@..............@..@.rview4..P..0.."A.................a.%.........................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\DLdiRYbSxUKrp0thTehxs0R7.exe
File Type:	RIFF (little-endian) data, Web/P image
Category:	dropped
Size (bytes):	29306
Entropy (8bit):	7.92147583488826
Encrypted:	false
SSDEEP:	768:xcjd3JISqF22OkACKSchdtm38rpsnNbd/bc7hS8mbE33wC06bA:mjISqF22Od6AtM8rpsNbd/WmSweM
MD5:	F47A2FC416A8E5B5A89DF402C45F1C35
SHA1:	7E57689F339B017C964A7CCFC44F823F664452FA
SHA-256:	718B06ABAD15580EF39B01D703E7A8CF7EF00379FCABD16F77803BA14F0628DF
SHA-512:	28965BB9E775CF74E879829F49EE48EBBAF3CBEF683B2A2AE25B23FB680DE3A94FCAB1CAB1AFC9D4962EA7F5F09D967A11B9AA0DD901DC4CFC2DF3EF04E067DA
Malicious:	false
Reputation:	unknown
Preview:	RIFFrr..WEBPVP8X.... .........ICCP.............0..mntrRGB XYZ ............acsp.......................................-....................................................desc.......$rXYZ........gXYZ...(....bXYZ...<....wtpt...P....rTRC...d...(gTRC...d...(bTRC...d...(cprt.......<mluc............enUS.........s.R.G.BXYZ ......o...8.....XYZ ......b.........XYZ ......$.........XYZ ...............-para..........ff......Y.......[........mluc............enUS... .....G.o.o.g.l.e. .I.n.c... .2.0.1.6VP8L.p../.....u!...........{.?..9g$..'..N...-n..Ul...qYX...8--..Qji.$.g&3g......=...m[..6..>..Q.........9..N.............o.......,.,.T..}..@.......~.....qRQ.e.m.m.o...V..e..RI.K...>....$I.t.8..==\|._}......EZ$ .......@i..!..)....@.l...ZF......a.$H.......P`[.d...aK.......Jg.l......`.:KA.0FF.....!..8U.;0.A...lK..:K.LE.,........K.d..J..KJ;,.... ..S.... ....H....H......R&. .X.Q.$.Cr")........K..... .p....L...%..rd.Rd[..)....R...pZ...%.\.)!......@)...................0.......r.#.FB)..

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	102344
Entropy (8bit):	4.024734905094693
Encrypted:	false
SSDEEP:	768:mla7khGwHjBwjk0V5uCl2rxN8L46FjHNdLPIp8yR1v9hpCvwmzypd3AcVNs5hRio:rk9HMuCl2r49hRiAGln0OFO1KQ9D
MD5:	8EF3B7584F4ACE537D0EBBEBCBB2E16A
SHA1:	F95E13D1F361625615D0A06D027B86A697300DD1
SHA-256:	C2CF35593BE3BFB15D33CADADE6F0AF81C34C996703F0382D9B7D6C84F405A50
SHA-512:	4A1BD256391AE7DD5ED83DDAF28279ED709085AD35FB2257A9955048A11FEF3A12C368DD57ACE119431747D1B8DEFBEA7E41A8A72BC1C7039F0C0432AD9D4648
Malicious:	false
Reputation:	unknown
Preview:	....h... ..............P...............X.......]...(..............x...V.......e.n.-.C.H.;.e.n.-.G.B...............H..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................a.l.f.o.n.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	5.30257092816603
Encrypted:	false
SSDEEP:	3072:agL5D7I860Lvdu97u5Hs1eRlMKUa1L7TVf1:ZLFI86Oe7BuPU2L7B
MD5:	9C100E7F219C7E05CCEA1899C511F4B9
SHA1:	2B9B7E9868E50A4A937BCC1DF238BF0FDF2CDDAA
SHA-256:	412A2FD5813DF7D330EE426CC11BEFAA40D614171C126FF156F87D7E0325F1E4
SHA-512:	438F59AB41D88EEC95E9D07E9100AFF4581433E52F7FF90D209AD84E37404AE5AF1509A5FA84BF7976B814BF860E4E0BD7400FCC0074A5F56E4EDAE9E48AB36F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X......D...D...D..7D...D..!Dx..D..&D5..D;w.D...D...Dn..D..(D...D..6D...D..3D...DRich...D................PE..L...5(Yc............................N.............@.............................................................................(....................................................................................................................text.............................. ..`.rdata..............................@..@.data....$~......(..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\OPHZ4RYtForDNHqUKDzFdbyl.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	62848
Entropy (8bit):	4.863853383693248
Encrypted:	false
SSDEEP:	768:h/yTbbApwORdsG+2rTPe9l9odnqipczdutBua2DarQ0yp1Ppzb9zhp:lyUpRRF+OQynqim0BuamaQ0yPPptzhp
MD5:	BFCEA96393C5BD5F12E9644E94C816C0
SHA1:	A9A18463AB7F63163DCE8B12B21EC8F0F2A72023
SHA-256:	3FA1139F173EE1F0DE2C82ECAB3D6E117B47D99FD9EB6881DF5D37EFFF95AEB3
SHA-512:	521654AEF2E292C783DFDEC3C82C827D4446BA3E8D133E0B83C69530F6F5B60675DF797F82DCEDCFA0E78971A450BEE06F70D7DC44EFDC41DDF4A21B425FA7CC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.0Ya.^.a.^.a.^.h...B.^.a._.9.^..Z.h.^..].e.^..[.z.^..V.b.^....`.^..\.`.^.Richa.^.........PE..d...@.B.........."......`...`.......Q.........@.....................................\....`.......... ......................................8...h........................%......X....y..T...........................@p..@............q...............................text...lQ.......`.................. ..`.rdata...!...p...0...p..............@..@.data...............................@....pdata..............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\B0SLNTT0ZbIxZcHr0SHBJGEz.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2048000
Entropy (8bit):	7.881673207108481
Encrypted:	false
SSDEEP:	49152:VQ/MiuIeQhJC6qtUyo/ghuXHzIXGO99rO093/GyIGgRaVrnLJ:h+h1yoYwI2O99r/LsRap
MD5:	AD8CD38CC7E369CFE856E4F7A0A68F30
SHA1:	9AE8EE2B0A2E2468E234C092EBB3087184A9F7C4
SHA-256:	27A73216E76DEDE729F944997747921D9D338809EECC1E088664F3C1FFCCB8DD
SHA-512:	AE5FE729C48AF136F1633EEF26594B5168C5933B17AEE837911DC21FAEC4F1073C7B6BECDF197125A6036880A5A99B46E28258B763A79E1ADF2728EA54933963
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@........................................-...L.F.L.F.L.F.5dF,L.F...G.L.F.LF.L.F..eF.L.FR.KF.M.F.4.F\M.F..IFNM.F.L.FjM.F..^F.L.F..NF.M.F.;XF)M.F...FeL.F^..G[L.F#(zF.M.F.:.F.M.F...F.L.F^..G.L.F^..G.M.F..YF.M.FR.LF.L.F.:.F.L.F.4.F\L.F..HF.M.F.;ZF.M.F.4.FmM.F..zFrM.F.5YF.M.F#(.G.L.F...G.M.Fk.OF L.FRich.L.F........................................................................................PE..L.....!f...........!.....0...L...F..@........................................P......*. .............................XH......\|F..<........A...................`.......................................................@..D............................text...P'.......0.................. ..`.rdata.......@.......@..............@..@.data........P.......P...................qdata..d .......0..................@...Zz=..........@.......0..............@...rtJ4......... ......................@...9xTY8C...F.......P..................@...T............`... ...P..............@...aD......6r......

Process:	C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	578384
Entropy (8bit):	6.524580849411757
Encrypted:	false
SSDEEP:	12288:RBSNvy11qsslnxU/1ceqHiNHlOp/2M+UHHZpDLO+r2VhQEKZm+jWodEEVAdm:RBSDOFQEKZm+jWodEE2dm
MD5:	1BA6D1CF0508775096F9E121A24E5863
SHA1:	DF552810D779476610DA3C8B956CC921ED6C91AE
SHA-256:	74892D9B4028C05DEBAF0B9B5D9DC6D22F7956FA7D7EEE00C681318C26792823
SHA-512:	9887D9F5838AA1555EA87968E014EDFE2F7747F138F1B551D1F609BC1D5D8214A5FDAB0D76FCAC98864C1DA5EB81405CA373B2A30CB12203C011D89EA6D069AF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f..f..f.....d..o.A.p..f........c.....n.....b...........g....-.g.....g..Richf..........................PE..d................." ...$.F...V......`1....................................................`A........................................PB..h.......,................9......PO......8...p...p...........................0...@............`...............................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data....8...@......................@....pdata...9.......:...<..............@..@.rsrc................v..............@..@.reloc..8............z..............@..B................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\jToGBYVMqv5v7FLLCc3PnzZj.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	663552
Entropy (8bit):	6.4687980579745945
Encrypted:	false
SSDEEP:	12288:XeuHnWgyrgVu4rPy37WzH0A6uaF4JNK3NFRvYZajlxp:uuHcrgVxrPy37WzH0A6uwkNK4Klxp
MD5:	823E80C325207F495A59B69AAE8AEFAD
SHA1:	4F6C6C696CFD47CF3571B9931829BFDA1D2FDA55
SHA-256:	520737B28D4086412E0CB4C8ECBD5E7273360D523866EBABCF1A8ECC93663EF0
SHA-512:	BE73D771F3E313D0244449FD6E0D4B49D10088672B082ADD4A28CFEC36D48C13393B7BBFB0B495EB2ED9D9BA525F304EDB8F2353E28AC6FFFB0053AC2407A463
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................."%.......0...................................................@......................................................CODE....,........................... ..`DATA................................@...BSS.....T................................idata.."%.......&..................@....tls.........0...........................rdata.......@......................@..P.reloc.......P......................@..P.rsrc....0.......0..................@..P....................................@..P........................................................................................................................................

Entrypoint:	0x14079aab2
Entrypoint Section:	.vmp(R
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x660BF9C0 [Tue Apr 2 12:27:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	023aae353653db016d3a89da454d1d86

Signature Valid:	false
Signature Issuer:	CN=\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	13/04/2024 11:26:20 14/04/2034 11:26:20
Subject Chain	CN=\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z
Version:	3
Thumbprint MD5:	77E3547D756C42A66CB4426739A242FF
Thumbprint SHA-1:	A3E3582D69361C09C56050EFDAB96F951FD96C2B
Thumbprint SHA-256:	7518998411E11FEBA2B334A8272475F043647D34BA731C223E012BD81917BDD0
Serial:	3A02069D084A9BAE4554635C0DB95A8D

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x78bae0	0xa0	.vmp(R
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab0000	0x31cb1	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xa9ec30	0xf330	.vmp(R
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3d0c00	0x1dc0	.themida
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaae000	0x1564	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x734df8	0x28	.vmp(R
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x710000	0x98	.vmp(R
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18f9ce	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x191000	0x47046	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1d9000	0xb198	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1e5000	0xf198	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x1f5000	0x1f4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vmp(R	0x1f6000	0x31ca1	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x228000	0x21d0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x22b000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x22c000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.themida	0x22d000	0x47e000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp(R	0x6ab000	0x64e62	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp(R	0x710000	0x3d0	0x400	3066240cfb3c8658ef9f5e519612b32c	False	0.072265625	data	0.3770621172411255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp(R	0x711000	0x39cf60	0x39d000	f71adcef6efd3518840bf908f48239d4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0xaae000	0x1564	0x1600	26db4b13f572c4c1bf45a7cd2466182e	False	0.18980823863636365	GLS_BINARY_LSB_FIRST	5.3780643262997385	IMAGE_SCN_MEM_READ
.rsrc	0xab0000	0x31cb1	0x31e00	ce3e161b70785dfd445e45db8549ad53	False	0.6563332158521303	data	6.691549152245497	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TYPELIB	0xab0320	0xb8a0	data			0.2674128300609343
RT_ICON	0xabbbc0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.6393058161350844
RT_ICON	0xabcc68	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.5610995850622407
RT_ICON	0xabf210	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.5178908833254605
RT_ICON	0xac3438	0xfaf1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.00040472595383
RT_ICON	0xad2f30	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.41838649155722324
RT_ICON	0xad3fd8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.3154564315352697
RT_ICON	0xad6580	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.27586206896551724
RT_ICON	0xada7a8	0x6f3a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9999297604832479
RT_GROUP_ICON	0xae16e8	0x3e	data	English	United States	0.8225806451612904
RT_GROUP_ICON	0xae1728	0x3e	data	English	United States	0.8709677419354839
RT_VERSION	0xae1768	0x3a4	data			0.45064377682403434
RT_MANIFEST	0xae1b10	0x1a1	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.5755395683453237

DLL	Import
kernel32.dll	GetModuleHandleA
USER32.dll	GetCursorPos
ADVAPI32.dll	RegCloseKey
SHELL32.dll	SHGetFolderPathA
ole32.dll	CoCreateInstance
OLEAUT32.dll	VariantClear
kernel32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Threatname: SmokeLoader

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Change of critical system settings

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Change of critical system settings

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AAKJEGCFBGDHJJJJJKJECFCFCA

Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe

Target ID:	0
Start time:	00:39:59
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe"
Imagebase:	0x7ff77ee30000
File size:	4'008'384 bytes
MD5 hash:	193692E1CF957EEF7E6CF2F6BC74BE86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	00:40:01
Start date:	19/04/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	23
Start time:	00:40:21
Start date:	19/04/2024
Path:	C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\SimpleAdobe\Honz_MBQI6vCkcbyCN3yB4rh.exe
Imagebase:	0x7ff7fe5a0000
File size:	11'440'768 bytes
MD5 hash:	5917C8E5A003B2C211150D1F92440F79
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	26
Start time:	00:40:22
Start date:	19/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	00:40:25
Start date:	19/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x810000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	00:40:26
Start date:	19/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xde0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	00:40:27
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\regsvr32.exe" /S .\TaFD.XRA
Imagebase:	0x7b0000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	00:40:28
Start date:	19/04/2024
Path:	C:\Users\user\AppData\Local\Temp\7zSCA9.tmp\Install.exe
Wow64 process (32bit):	true
Commandline:	.\Install.exe /dlhwdidkpGO "525403" /S
Imagebase:	0xc80000
File size:	6'897'664 bytes
MD5 hash:	F8EFB05B940B05FC74801B61B3C0F500
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 34%, ReversingLabs
Has exited:	false

Target ID:	33
Start time:	00:40:30
Start date:	19/04/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Imagebase:	0x7ff73c4e0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	43
Start time:	00:40:31
Start date:	19/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Imagebase:
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false