Edit tour

Windows Analysis Report
qk9TaBBxh8.exe

Overview

General Information

Sample name:	qk9TaBBxh8.exe renamed because original name is a hash value
Original sample name:	cb4118382e3f97f0db04938a4e31e3e1.exe
Analysis ID:	1429030
MD5:	cb4118382e3f97f0db04938a4e31e3e1
SHA1:	d31dff9e56df945247cbb0598bf0c1d27aedcccf
SHA256:	fcd465bfb29ad1ee9c3344c27035fe6721f7c634ae714db808454b2d14e6ecd3
Tags:	64exePrivateLoadertrojan
Infos:

Detection

LummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Disable power options

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected Glupteba

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected RisePro Stealer

Yara detected SmokeLoader

Yara detected Stealc

Yara detected Vidar stealer

Yara detected zgRAT

.NET source code contains very large array initializations

Adds extensions / path to Windows Defender exclusion list (Registry)

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates HTML files with .exe extension (expired dropper behavior)

Creates a thread in another existing process (thread injection)

Creates multiple autostart registry keys

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Drops PE files to the document folder of the user

Exclude list of file types from scheduled, custom, and real-time scanning

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Found stalling execution ending in API Sleep call

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

LummaC encrypted strings found

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies Group Policy settings

Modifies power options to not sleep / hibernate

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses powercfg.exe to modify the power settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a Chrome extension

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Windows Defender Exclusions Added - Registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

query blbeacon for getting browser version

Classification

Process Tree

System is w10x64

qk9TaBBxh8.exe (PID: 5936 cmdline: "C:\Users\user\Desktop\qk9TaBBxh8.exe" MD5: CB4118382E3F97F0DB04938A4E31E3E1)

zFe0EAtgy56yDxXht4nmozfb.exe (PID: 2448 cmdline: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe MD5: 11A92C610057432013E972144EFC0EA0)

EWdN3bvBjxAbF1GyzHE7_p73.exe (PID: 4540 cmdline: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe MD5: 817C11005CA185252E666C25769A2591)

70Leo0eE867BJ4vm1aky3Uk3.exe (PID: 3800 cmdline: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe MD5: 083BBD31609819B33AD9998C1525612A)

nRGT2oA3F8V3EBSM6dmMTrGw.exe (PID: 3108 cmdline: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe MD5: 15A5A210A88D15A932171A9FA25A1356)

MSBuild.exe (PID: 5264 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

FSYOvyvMMT80PCsMousFK1Xa.exe (PID: 3884 cmdline: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe MD5: B841D5F5E8102EE6AC56D565FBB58879)

conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 6416 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

Jsakr_KmqehdR6ptAH1OzwuM.exe (PID: 4060 cmdline: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe MD5: 5917C8E5A003B2C211150D1F92440F79)

conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

eQEIduvtZVhzsp4oDFOuc1gy.exe (PID: 4160 cmdline: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe MD5: 0A36767173321199A74B6C2749E293F8)

T9n2wvLQ1PO2GfTxLTyp21hE.exe (PID: 4616 cmdline: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe MD5: 87474EC710EF8FD62769AAE7C17CEDA0)

regsvr32.exe (PID: 1216 cmdline: "C:\Windows\System32\regsvr32.exe" -s .\SZM3Yb.I -u MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

NyiVs23yIO_0wMOj5TwwBpJ5.exe (PID: 3704 cmdline: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe MD5: 0333777653A29FF6425D4CCE9CF6998E)

45NBK9axc23mjqmbKvmG0NYP.exe (PID: 2332 cmdline: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe MD5: A134C160036C6542BE45BA9FC2D8132D)

tXlQ3NLbQqxBkFS_TfaDHWX4.exe (PID: 5340 cmdline: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe MD5: B413116E9122E54828DE168502CF3316)

TUBbflj40zqtNIEKWH_MWjeG.exe (PID: 3856 cmdline: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe MD5: 08716C77EB12B403C525571C36C29FEE)

is-P287H.tmp (PID: 5024 cmdline: "C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp" /SL4 $20402 "C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe" 3022131 52224 MD5: 813B26B63B6054C7B58D09F32E61AB18)

cjlnYlPYSIAljKunxGKtil91.exe (PID: 876 cmdline: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe MD5: C9AD12873E4B3F8AE042800AB6CA01B5)

conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 3516 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 6916 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

kPBjgT9TnN00tvBCDizDiq41.exe (PID: 3872 cmdline: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe MD5: BABB0A05BFFC1AA3AD452F745FF1C9E1)

schtasks.exe (PID: 768 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2196 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

bKj5ORDxbqgwdZav4hyONQmM.exe (PID: 3608 cmdline: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe MD5: B091C4848287BE6601D720997394D453)

powercfg.exe (PID: 4836 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 3476 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 3816 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 992 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

ooon0i8sg2EZy1pci_ppgkth.exe (PID: 6924 cmdline: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe MD5: D15459E9B9D12244A57809BC383B2757)

ocI8OvNXSYwHw7Rg5l6_f8IK.exe (PID: 4440 cmdline: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe MD5: 5EB7C8D4E4A0A7C66277EB3E4295C7A1)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

svchost.exe (PID: 4044 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2304 cmdline: C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5632 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5564 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 2936 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3108 -ip 3108 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Glupteba	Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.	No Attribution	http://resources.infosecinstitute.com/tdss4-part-1/ https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/ https://blog.google/technology/safety-security/new-action-combat-cyber-crime/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.172.128.23/f993692117a3fda2.php"}

Threatname: Vidar

{"C2 url": "http://185.172.128.23/f993692117a3fda2.php"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nidoe.org/tmp/index.php", "http://sodez.ru/tmp/index.php", "http://uama.com.ua/tmp/index.php", "http://talesofpirates.net/tmp/index.php"]}

Threatname: RedLine

{"C2 url": ["5.42.65.50:33080"], "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\J4dorNOROd60TEXKOpUsDEA.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\YrWSGTvMbD1qxqADGULdj7d.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcb387:$s1: file:/// 0xcb297:$s2: {11111-22222-10009-11112} 0xcb317:$s3: {11111-22222-50001-00000} 0xc9fdb:$s4: get_Module 0x41c0ea:$s4: get_Module 0xc2f8e:$s5: Reverse 0x41abeb:$s5: Reverse 0x41ad57:$s6: BlockCopy 0xc0864:$s7: ReadByte 0x40f9a2:$s7: ReadByte 0xcb399:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000002.2716540059.0000000001AFF000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6b9f:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001D.00000002.2809504099.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3021827597.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000F.00000002.3021827597.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000000F.00000002.3021827597.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000007.00000003.2850327356.00000000066F2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000A.00000002.2626409081.00000000044AB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.2626409081.00000000044AB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001C.00000002.2938091738.0000000000434000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000002.2626409081.000000000454D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.2626409081.000000000454D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000002.2720784429.0000000003760000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000017.00000002.2720784429.0000000003760000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000F.00000002.3022417132.0000000001CD5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001C.00000002.2976391613.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000001C.00000002.2976391613.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.2439089037.00000000000AE000.00000004.00000001.01000000.00000013.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000002.2719169995.0000000003650000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000F.00000003.2405630696.0000000001C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000F.00000003.2405630696.0000000001C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000001D.00000002.2970352519.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000002.2970352519.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000003.2852539306.00000000066F3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000F.00000002.3022350261.0000000001CBF000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x16e0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000017.00000002.2724393718.0000000003961000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000017.00000002.2724393718.0000000003961000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001C.00000002.2938091738.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000001C.00000002.2938091738.0000000000400000.00000040.00000400.00020000.00000000.sdmp	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x2f116:$x5: vchost.exe 0x30116:$x5: vchost.exe
0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.3015167493.0000000000400000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000F.00000002.3015167493.0000000000400000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000000B.00000002.2435161937.000000000025E000.00000004.00000001.01000000.00000007.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000011.00000001.2435771287.0000000000843000.00000040.00000001.01000000.0000000E.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Process Memory Space: zFe0EAtgy56yDxXht4nmozfb.exe PID: 2448	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nRGT2oA3F8V3EBSM6dmMTrGw.exe PID: 3108	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FSYOvyvMMT80PCsMousFK1Xa.exe PID: 3884	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: eQEIduvtZVhzsp4oDFOuc1gy.exe PID: 4160	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: NyiVs23yIO_0wMOj5TwwBpJ5.exe PID: 3704	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: NyiVs23yIO_0wMOj5TwwBpJ5.exe PID: 3704	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NyiVs23yIO_0wMOj5TwwBpJ5.exe PID: 3704	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.cjlnYlPYSIAljKunxGKtil91.exe.aeac0.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
29.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
15.3.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1c00000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.3.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1c00000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
15.3.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1c00000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.3.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1c00000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
11.2.FSYOvyvMMT80PCsMousFK1Xa.exe.25eac0.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
11.2.FSYOvyvMMT80PCsMousFK1Xa.exe.25eac0.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
28.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
11.2.FSYOvyvMMT80PCsMousFK1Xa.exe.230000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
28.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
28.2.RegAsm.exe.400000.0.raw.unpack	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x2f116:$x5: vchost.exe 0x30116:$x5: vchost.exe
19.2.cjlnYlPYSIAljKunxGKtil91.exe.80000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
19.2.cjlnYlPYSIAljKunxGKtil91.exe.aeac0.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x521c3:$s1: file:/// 0x520fb:$s2: {11111-22222-10009-11112} 0x52153:$s3: {11111-22222-50001-00000} 0x4eb4c:$s4: get_Module 0x49d68:$s5: Reverse 0x4a5f0:$s6: BlockCopy 0x49d50:$s7: ReadByte 0x521d5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x503c3:$s1: file:/// 0x502fb:$s2: {11111-22222-10009-11112} 0x50353:$s3: {11111-22222-50001-00000} 0x4cd4c:$s4: get_Module 0x47f68:$s5: Reverse 0x487f0:$s6: BlockCopy 0x47f50:$s7: ReadByte 0x503d5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1bd0e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1bd0e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
10.0.nRGT2oA3F8V3EBSM6dmMTrGw.exe.d10000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
10.0.nRGT2oA3F8V3EBSM6dmMTrGw.exe.d10000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.0.nRGT2oA3F8V3EBSM6dmMTrGw.exe.d10000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcb387:$s1: file:/// 0xcb297:$s2: {11111-22222-10009-11112} 0xcb317:$s3: {11111-22222-50001-00000} 0xc9fdb:$s4: get_Module 0x41c0ea:$s4: get_Module 0xc2f8e:$s5: Reverse 0x41abeb:$s5: Reverse 0x41ad57:$s6: BlockCopy 0xc0864:$s7: ReadByte 0x40f9a2:$s7: ReadByte 0xcb399:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.1.tXlQ3NLbQqxBkFS_TfaDHWX4.exe.400000.0.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1bd0e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1bd0e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
7.2.zFe0EAtgy56yDxXht4nmozfb.exe.9a0000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
13.2.eQEIduvtZVhzsp4oDFOuc1gy.exe.140000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 31 entries

Sigma Signatures

Change of critical system settings

Sigma detected: Disable power options

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe, ParentImage: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe, ParentProcessId: 3608, ParentProcessName: bKj5ORDxbqgwdZav4hyONQmM.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 4836, ProcessName: powercfg.exe

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe, ProcessId: 2448, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c

Sigma detected: Windows Defender Exclusions Added - Registry

Source: Registry Key set

Author: Christian Burkard (Nextron Systems): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\qk9TaBBxh8.exe, ProcessId: 5936, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc, CommandLine: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc, ProcessId: 4044, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: HEUR/AGEN.1361904
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	Avira: detection malicious, Label: TR/AD.Nekark.sbdpe

Found malware configuration

Source: 0000000F.00000002.3022417132.0000000001CD5000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.172.128.23/f993692117a3fda2.php"}
Source: 00000017.00000002.2720784429.0000000003760000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nidoe.org/tmp/index.php", "http://sodez.ru/tmp/index.php", "http://uama.com.ua/tmp/index.php", "http://talesofpirates.net/tmp/index.php"]}
Source: 0000000F.00000003.2405630696.0000000001C00000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.23/f993692117a3fda2.php"}
Source: 29.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["5.42.65.50:33080"], "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Multi AV Scanner detection for domain / URL

Source: http://193.233.132.139/dacha/rules.exe	Virustotal: Detection: 25%	Perma Link
Source: http://185.172.128.23/8e6d9db21fb63946/nss3.dll	Virustotal: Detection: 19%	Perma Link
Source: http://185.172.128.23/f993692117a3fda2.phpt	Virustotal: Detection: 16%	Perma Link
Source: http://185.172.128.23/8e6d9db21fb63946/mozglue.dll	Virustotal: Detection: 7%	Perma Link
Source: http://185.172.128.23/8e6d9db21fb63946/sqlite3.dll	Virustotal: Detection: 19%	Perma Link
Source: http://sodez.ru/tmp/index.php	Virustotal: Detection: 20%	Perma Link
Source: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe	Virustotal: Detection: 5%	Perma Link
Source: http://193.233.132.253/lumma1504.exe	Virustotal: Detection: 22%	Perma Link
Source: http://5.42.66.10/download/th/retail.phphps	Virustotal: Detection: 19%	Perma Link
Source: http://uama.com.ua/tmp/index.php	Virustotal: Detection: 17%	Perma Link
Source: https://monoblocked.com/525403/setup.exexe	Virustotal: Detection: 12%	Perma Link
Source: https://carthewasher.net/	Virustotal: Detection: 15%	Perma Link
Source: https://monoblocked.com/	Virustotal: Detection: 15%	Perma Link
Source: http://185.172.128.23/8e6d9db21fb63946/msvcp140.dll	Virustotal: Detection: 7%	Perma Link
Source: https://monoblocked.com/525403/setup.exe	Virustotal: Detection: 13%	Perma Link
Source: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exexe	Virustotal: Detection: 9%	Perma Link
Source: http://talesofpirates.net/tmp/index.php	Virustotal: Detection: 17%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	ReversingLabs: Detection: 91%
Source: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\Retailer_prog[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\123p[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Space_bake[1].exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\Default16_team[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cad54ba5b01423b1af8ec10ab5719d97[1].exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\grabber[1].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\lumma1504[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\Install.exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: qk9TaBBxh8.exe	ReversingLabs: Detection: 36%
Source: qk9TaBBxh8.exe	Virustotal: Detection: 25%			Perma Link

Yara detected Glupteba

Source: Yara match	File source: 17.1.tXlQ3NLbQqxBkFS_TfaDHWX4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000001.2435771287.0000000000843000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetProcAddress
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: LoadLibraryA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: lstrcatA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: OpenEventA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CreateEventA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CloseHandle
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Sleep
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: VirtualFree
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetSystemInfo
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: VirtualAlloc
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: HeapAlloc
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetComputerNameA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: lstrcpyA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetProcessHeap
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetCurrentProcess
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: lstrlenA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: ExitProcess
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetSystemTime
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: advapi32.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: gdi32.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: user32.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: crypt32.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: ntdll.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetUserNameA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CreateDCA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetDeviceCaps
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: ReleaseDC
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: sscanf
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: VMwareVMware
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: HAL9TH
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: JohnDoe
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: DISPLAY
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: http://185.172.128.23
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: /f993692117a3fda2.php
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: /8e6d9db21fb63946/
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: default9
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetFileAttributesA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GlobalLock
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: HeapFree
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetFileSize
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GlobalSize
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: IsWow64Process
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Process32Next
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetLocalTime
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: FreeLibrary
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetVolumeInformationA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Process32First
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetLocaleInfoA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetModuleFileNameA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: DeleteFileA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: FindNextFileA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: LocalFree
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: FindClose
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: LocalAlloc
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetFileSizeEx
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: ReadFile
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SetFilePointer
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: WriteFile
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CreateFileA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: FindFirstFileA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CopyFileA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: VirtualProtect
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetLastError
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: lstrcpynA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: MultiByteToWideChar
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GlobalFree
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: WideCharToMultiByte
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GlobalAlloc
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: OpenProcess
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: TerminateProcess
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetCurrentProcessId
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: gdiplus.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: ole32.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: bcrypt.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: wininet.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: shlwapi.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: psapi.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: rstrtmgr.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SelectObject
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: BitBlt
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: DeleteObject
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CreateCompatibleDC
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GdiplusStartup
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GdiplusShutdown
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GdipDisposeImage
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GdipFree
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CoUninitialize
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CoInitialize
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CoCreateInstance
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: BCryptDecrypt
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: BCryptSetProperty
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: BCryptDestroyKey
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetWindowRect
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetDesktopWindow
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetDC
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CloseWindow
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: wsprintfA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CharToOemW
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: wsprintfW
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: RegQueryValueExA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: RegEnumKeyExA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: RegOpenKeyExA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: RegCloseKey
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: RegEnumValueA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CryptUnprotectData
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SHGetFolderPathA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: ShellExecuteExA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: InternetOpenUrlA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: InternetConnectA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: InternetCloseHandle
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: InternetOpenA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: HttpSendRequestA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: HttpOpenRequestA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: InternetReadFile
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: InternetCrackUrlA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: StrCmpCA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: StrStrA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: StrCmpCW
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: PathMatchSpecA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: RmStartSession
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: RmRegisterResources
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: RmGetList
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: RmEndSession
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: sqlite3_open
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: sqlite3_step
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: sqlite3_column_text
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: sqlite3_finalize
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: sqlite3_close
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: sqlite3_column_blob
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: encrypted_key
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: PATH
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: NSS_Init
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: NSS_Shutdown
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: PK11_FreeSlot
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: PK11_Authenticate
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: C:\ProgramData\
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: browser:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: profile:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: url:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: login:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: password:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Opera
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: OperaGX
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Network
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: cookies
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: .txt
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: TRUE
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: FALSE
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: autofill
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: history
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: name:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: month:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: year:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: card:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Cookies
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Login Data
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Web Data
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: History
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: logins.json
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: formSubmitURL
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: usernameField
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: encryptedUsername
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: encryptedPassword
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: guid
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: cookies.sqlite
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: formhistory.sqlite
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: places.sqlite
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: plugins
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Local Extension Settings
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Sync Extension Settings
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: IndexedDB
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Opera Stable
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Opera GX Stable
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: CURRENT
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: chrome-extension_
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Local State
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: chrome
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: opera
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: firefox
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: wallets
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: ProductName
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: ProcessorNameString
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: DisplayName
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: DisplayVersion
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Network Info:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - IP: IP?
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - Country: ISO?
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: System Summary:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - HWID:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - OS:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - Architecture:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - UserName:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - Computer Name:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - Local Time:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - UTC:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - Language:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - Keyboards:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - Laptop:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - Running Path:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - CPU:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - Threads:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - Cores:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - RAM:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - Display Resolution:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: - GPU:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: User Agents:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Installed Apps:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: All Users:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Current User:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Process List:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: system_info.txt
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: freebl3.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: mozglue.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: msvcp140.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: nss3.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: softokn3.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: vcruntime140.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: \Temp\
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: .exe
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: runas
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: open
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: /c start
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: %DESKTOP%
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: %APPDATA%
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: %USERPROFILE%
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: %DOCUMENTS%
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: %RECENT%
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: *.lnk
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: files
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: \discord\
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: \Telegram Desktop\
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: key_datas
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: map*
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Telegram
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: *.tox
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: *.ini
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Password
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: 00000001
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: 00000002
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: 00000003
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: 00000004
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Pidgin
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: \.purple\
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: accounts.xml
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: token:
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Software\Valve\Steam
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: SteamPath
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: \config\
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: ssfn*
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: config.vdf
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: DialogConfig.vdf
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: libraryfolders.vdf
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: loginusers.vdf
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: \Steam\
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: sqlite3.dll
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: browsers
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: done
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: soft
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: https
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: POST
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: HTTP/1.1
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: hwid
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: build
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: token
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: file_name
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: file
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: message
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B0D9D0 CryptAcquireContextA,GetLastError,	10_2_69B0D9D0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B0DBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,	10_2_69B0DBB0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B0DD20 CryptReleaseContext,	10_2_69B0DD20
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B0DEE0 CryptReleaseContext,	10_2_69B0DEE0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B0DE00 CryptGenRandom,__CxxThrowException@8,	10_2_69B0DE00
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B335E0 CryptReleaseContext,	10_2_69B335E0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B0D7F0 CryptReleaseContext,	10_2_69B0D7F0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B0D7D4 CryptReleaseContext,	10_2_69B0D7D4

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 17.1.tXlQ3NLbQqxBkFS_TfaDHWX4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000001.2435771287.0000000000843000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe

Unpacked PE file: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack

Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbW source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2818869445.0000000000DCD000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2718547054.0000000069B34000.00000002.00000001.01000000.00000021.sdmp, nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2626409081.000000000454D000.00000004.00000800.00020000.00000000.sdmp, nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2693560746.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2626409081.0000000004AC8000.00000004.00000800.00020000.00000000.sdmp, nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2626409081.0000000004331000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2818869445.0000000000DCD000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\laracu valo35\tag\ped\kixe\vevuyohiyiva_yicofok.pdb source: qk9TaBBxh8.exe, 00000000.00000003.2127430688.000001D70232C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2128070226.000001D702377000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127430688.000001D702356000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127511693.000001D702218000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2126674447.000001D7021F6000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127725914.000001D702377000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000003.2613298063.000001DB77B90000.00000004.00001000.00020000.00000000.sdmp, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2622806676.000000C0000AC000.00000004.00001000.00020000.00000000.sdmp, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000266000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: qk9TaBBxh8.exe, 00000000.00000003.2127725914.000001D7023E9000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127725914.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127896153.000001D7023EB000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2126643406.000001D70224D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2128179905.000001D70245C000.00000004.00000020.00020000.00000000.sdmp, T9n2wvLQ1PO2GfTxLTyp21hE.exe, 0000000E.00000002.2520477544.00000000002F9000.00000002.00000001.01000000.0000000D.sdmp, T9n2wvLQ1PO2GfTxLTyp21hE.exe, 0000000E.00000000.2397254577.00000000002F9000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbEMP source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2705372697.00000000064C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\Secureuser\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: zFe0EAtgy56yDxXht4nmozfb.exe, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2928592869.0000000000B39000.00000040.00000001.01000000.00000006.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000001.2521718747.00000000002F0000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vuhuyiwulumopo62_soba.pdb source: qk9TaBBxh8.exe, 00000000.00000003.2132642581.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127967224.000001D7021F5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134526384.000001D70245C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2128255759.000001D702217000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2138129759.000001D70245C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2136306601.000001D70245C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130037595.000001D702217000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2129915477.000001D7021B0000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2142101955.000001D7027FE000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2132761360.000001D7023EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Moq.pdbSHA256@ source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\sehuxi\gukulow\tulatesati\wudapul-rarupi.pdb source: qk9TaBBxh8.exe, 00000000.00000003.2142363047.000001D702353000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2145509043.000001D703B50000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141999180.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2149442634.000001D704113000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2142230053.000001D7023EB000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2143104056.000001D702988000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2142675803.000001D702495000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2145072174.000001D703403000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141838147.000001D70224D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2146166478.000001D703DAA000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2142453918.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000003.2613298063.000001DB77B90000.00000004.00001000.00020000.00000000.sdmp, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2622806676.000000C0000AC000.00000004.00001000.00020000.00000000.sdmp, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000266000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Moq.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\projects\polly\src\Polly.Net45\obj\Release\net45\Polly.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2471533821.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbV source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: uic.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583230702.0000000001538000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2472974179.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2818869445.0000000000DD8000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\projects\polly\src\Polly.Net45\obj\Release\net45\Polly.pdbjz source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2448673035.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdboF source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2818869445.0000000000DD8000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2472336262.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2469992759.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbh source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdbSHA256 source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbeIn source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2705372697.00000000064C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2705372697.00000000064C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.PDB source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583230702.0000000001538000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.PDB source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2693560746.0000000005FAA000.00000004.08000000.00040000.00000000.sdmp, nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2626409081.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2626409081.00000000049F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 453C:\laracu valo35\tag\ped\kixe\vevuyohiyiva_yicofok.pdb source: qk9TaBBxh8.exe, 00000000.00000003.2127430688.000001D70232C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2128070226.000001D702377000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127430688.000001D702356000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127511693.000001D702218000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2126674447.000001D7021F6000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127725914.000001D702377000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2448940390.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{F7268D09-0253-482E-9684-37327F29D4B0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{F7268D09-0253-482E-9684-37327F29D4B0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A7B1CB FindFirstFileExW,GetLastError,		7_2_00A7B1CB
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009AB300 FindFirstFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,		7_2_009AB300

Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	10_2_05CD6940
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	10_2_05CD5565
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	10_2_05CD6939
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	10_2_05CDD480
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	10_2_05CD6C69
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	10_2_05CDD478
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	10_2_05CD6C70
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then jmp 05CDD06Ah	10_2_05CDCFB8
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then jmp 05CDD06Ah	10_2_05CDCFB0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	10_2_05CD6B58
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	10_2_05CD6B60
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	10_2_05CD36DC
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	10_2_05CDCED7
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	10_2_05CD6A48
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	10_2_05CD6A50

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 102.53.9.151 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.172.128.23/f993692117a3fda2.php
Source: Malware configuration extractor	URLs: http://185.172.128.23/f993692117a3fda2.php
Source: Malware configuration extractor	URLs: http://nidoe.org/tmp/index.php
Source: Malware configuration extractor	URLs: http://sodez.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://uama.com.ua/tmp/index.php
Source: Malware configuration extractor	URLs: http://talesofpirates.net/tmp/index.php
Source: Malware configuration extractor	URLs: 5.42.65.50:33080

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: dCIjUPk4HQDvWsTSBTjdtIZC.exe.0.dr
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: aniSiiwr9ACMsStraaf0y6pm.exe.0.dr

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Code function: 7_2_009BE220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,

7_2_009BE220

Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com https://google.com https://.vkpartner.ru https://.moatads.com https://.adlooxtracking.ru https://.serving-sys.ru https://.weborama-tech.ru https://.gstatic.com https://.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://.vk-cdn.net https://.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp equals www.facebook.com (Facebook)
Source: qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com https://google.com https://.vkpartner.ru https://.moatads.com https://.adlooxtracking.ru https://.serving-sys.ru https://.weborama-tech.ru https://.gstatic.com https://.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://.vk-cdn.net https://.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp equals www.twitter.com (Twitter)
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com https://google.com https://.vkpartner.ru https://.moatads.com https://.adlooxtracking.ru https://.serving-sys.ru https://.weborama-tech.ru https://.gstatic.com https://.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://.vk-cdn.net https://.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp equals www.youtube.com (Youtube)

Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://127.0.0.1:
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/dl.php
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/dl.phpL
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022158722.0000000001CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/freebl3.dll/Li
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/freebl3.dll3Mu
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/mozglue.dll
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/mozglue.dllOMI
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/msvcp140.dll
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/msvcp140.dllkM-
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001CD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/nss3.dll
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/softokn3.dll
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/softokn3.dll=MG
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/softokn3.dllgL
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/sqlite3.dll
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/sqlite3.dllYM
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001CD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/sqlite3.dllt
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/vcruntime140.dll
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/8e6d9db21fb63946/vcruntime140.dllRE
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001CD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/f993692117a3fda2.php
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000549000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://185.172.128.23/f993692117a3fda2.phpb36fd1cef167f046e714b525b44eclt-release2949fc6aa0d2f9ea88e
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/f993692117a3fda2.phpt
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001CD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23/f993692117a3fda2.phptop
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022158722.0000000001CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.23S
Source: qk9TaBBxh8.exe, 00000000.00000003.2141201425.000001D702104000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/dacha/rules.exe
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2935186807.0000000006678000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2935510140.0000000006790000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma1504.exe
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.00000000019C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma1504.exe0
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.00000000019C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma1504.exeH
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe.203/dl.php
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe6
Source: qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exej
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701EE7000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701EE7000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701EE7000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701EE9000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage16.php
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage16.php.php
Source: qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175216899.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167397049.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage16.php?
Source: qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175216899.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167397049.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage16.phpV
Source: qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175216899.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167397049.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage16.phpY
Source: qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.php
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.php16.php
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phphps
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpx
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.php
Source: qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.phpJ
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.phpb
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/IsAliveResponse
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/IsAliveT
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StartResponse
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StartT
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopResponseR
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopT
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ACVC.WPF.Service.WcfT
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449615473.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2Assure
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssureZ
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449615473.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468996555.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449615473.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468996555.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiC
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCM
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCZ
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449615473.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468996555.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468996555.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449615473.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468996555.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449615473.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468996555.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449615473.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468996555.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449615473.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449615473.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468996555.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449615473.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468996555.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169190202.000001D7021A0000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167052907.000001D7021A0000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175246907.000001D7021A0000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.php
Source: qk9TaBBxh8.exe, 00000000.00000003.2169190202.000001D7021A0000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167052907.000001D7021A0000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175246907.000001D7021A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.php-
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.phpK
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449615473.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468996555.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: qk9TaBBxh8.exe, 00000000.00000003.2129915477.000001D702263000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2132941283.000001D70220C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130108191.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2132642581.000001D70230A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2132761360.000001D7023EB000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2129915477.000001D7021D9000.00000004.00000020.00020000.00000000.sdmp, TUBbflj40zqtNIEKWH_MWjeG.exe, 00000012.00000000.2397793800.0000000000410000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.innosetup.com
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2928161171.0000000000AB6000.00000040.00000001.01000000.00000006.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2816985403.0000000000255000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2928161171.0000000000AB6000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDp
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2816985403.0000000000255000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDp&Tp&
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.tiktok.com
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exexe
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/~
Source: qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2130037595.000001D702241000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2126739049.000001D70218A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/8b0be658-c958-47a3-96e4-fc8e5fe7c5dc/downloads/dc50f97b-477f-
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/gs
Source: qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167644651.000001D701F18000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exeU
Source: qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org:80/superworkspacenb/gerge/downloads/grabber.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/
Source: qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/525403/setup.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/b
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/R
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701EE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/fbdd1d2f6f7fd732cbea599f111537fe/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701EE7000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701EE7000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701EE7000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701EE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/fbdd1d2f6f7fd732cbea599f111537fe/cad54ba5b01423b1af8ec10ab5719d97.exed97.ex
Source: qk9TaBBxh8.exe, 00000000.00000003.2141201425.000001D7020E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/fbdd1d2f6f7fd732cbea599f111537fe/cad54ba5b01423b1af8ec10ab5719d97.exejd
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ampproject.org
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.syndication.twimg.com
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://connect.facebook.net
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.00000000019C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/A
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.00000000019C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52k
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.000000000196A000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.vk.com
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701EFD000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701EFD000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701EFD000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130154518.000001D7020FE000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701EF8000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F02000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134929615.000001D7020FC000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701EFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/fbdd1d2f6f7fd732cbea599f111537fe/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/fbdd1d2f6f7fd732cbea599f111537fe/7725eaa6592c80f8124e769b4e8a07f7.exebe
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2448128572.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://github.com/moq/moq4
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://googletagmanager.com
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.0000000001979000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/d=
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2928161171.0000000000AB6000.00000040.00000001.01000000.00000006.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2816985403.0000000000255000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001321000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/sW
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.000000000194B000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.000000000133A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.0000000001979000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52$a
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.0000000001979000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52.
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe	String found in binary or memory: https://login.chinacloudapi.cn/crypto/aes:
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2776004100.00007FF6359C9000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://login.microsoftonline.com/crypto/rc4:
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe	String found in binary or memory: https://login.microsoftonline.us/scalar
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169327203.000001D70213F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/?act=login
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169327203.000001D70213F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/?act=logout&hash=b823d72190fa28b755&_origin=https%3A%2F%2Fvk.com&lrt=BDpxh3TFcr
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2776004100.00007FF6359C9000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://management.azure.cominvalid
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2776004100.00007FF6359C9000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://management.chinacloudapi.cnP224
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2776004100.00007FF6359C9000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://management.core.chinacloudapi.cnchacha20poly1305:
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2776004100.00007FF6359C9000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://management.core.usgovcloudapi.netGODEBUG
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2776004100.00007FF6359C9000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://management.usgovcloudapi.nethttps://management.core.windows.net/edwards25519:
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://maps.googleapis.com
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/
Source: qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/F
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/Z
Source: qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exe16.phpF
Source: qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exeD
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exephp
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exes.top/
Source: qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top:80/style/060.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/
Source: qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeom/
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exexe
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/
Source: qk9TaBBxh8.exe, 00000000.00000003.2133663823.000001D702104000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/lander/File_294/setup294.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/lander/File_294/setup294.exeS
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/lander/File_294/setup294.exeexe
Source: qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs:80/lander/File_294/setup294.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs:80/lander/File_294/setup294.exe;
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169327203.000001D70213F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://papi.vk.com/pushsse/ruim
Source: qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://platform.twitter.com
Source: qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://r.mradx.net
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securepubads.g.doubleclick.net
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169327203.000001D70213F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175246907.000001D7021AC000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169327203.000001D70213F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/css/al/base.7c74f023.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175246907.000001D7021AC000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/css/al/common.1545e5c6.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175246907.000001D7021AC000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169327203.000001D70213F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/css/al/fonts_cnt.c7a76efe.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175246907.000001D7021AC000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169327203.000001D70213F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/css/al/fonts_utf.7fa94ada.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/css/al/ui_common.4135db2f.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/css/al/uncommon.6d51982c.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/css/al/vk_sans_display.5625d45f.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/css/al/vk_sans_display_faux.7d208ecb.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175246907.000001D7021AC000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169327203.000001D70213F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/css/al/vkui.43318ab6.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169190202.000001D70219B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/css/fonts/VKSansDisplayDemiBold
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/css/fonts/VKSansDisplayDemiBoldFaux.v100.woff2
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/chunks/audioplayer-lib.5f2a5c5d.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/chunks/audioplayer-lib.93b52d88.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/chunks/common.1a9638fd.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/chunks/react.759f82b6.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/chunks/state-management.c22f9f68.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/chunks/vkcom-kit-icons.826b9222.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/chunks/vkcom-kit.342340af.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/chunks/vkcom-kit.385e5148.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/chunks/vkui.847cc706.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/common_web.9d09fc5d.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/common_web.bb0c1fad.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/css_types.1bff1a5b.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/docs.20074c02.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/docs.819ef167.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/error_monitoring.isolated.3df2967b.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/grip.0b3b493f.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/jobs_devtools_notification.14f96f02.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/likes.08bf71a4.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/likes.20074c02.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/page_layout.7b5800c2.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/performance_observers.4d12f60f.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/polyfills.isolated.edaffb7b.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/raven_logger.ea0a2239.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/site_layout.20074c02.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/site_layout.625c2925.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/ui_common.20074c02.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/ui_common.b828980c.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/unauthorized.20074c02.css
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/unauthorized.f646a9e2.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-23.vk.com/dist/web/vk_sans_observer.fb28db65.js
Source: qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.vk.me
Source: qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169327203.000001D70213F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stats.vk-portal.net
Source: FSYOvyvMMT80PCsMousFK1Xa.exe, 0000000B.00000002.2435161937.000000000025E000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888
Source: FSYOvyvMMT80PCsMousFK1Xa.exe, 0000000B.00000002.2435161937.000000000025E000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888ve74rMozilla/5.0
Source: qk9TaBBxh8.exe, 00000000.00000003.2169190202.000001D7021A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-21.userapi.com/c236331/u5294803/docs/d24/ef46b35f8bf1/imgdrive_2_1.bmp?extra=bkM2v2_xSr
Source: qk9TaBBxh8.exe, 00000000.00000003.2175246907.000001D7021A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-22.userapi.com/c909518/u5294803/docs/d23/f3f574557e5d/crypted.bmp?extra=OZKsfqLr82JxeKr
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.00000000013BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.I
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.000000000198D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.X0
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.00000000012EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.00000000012EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT_IDENTIFIER=Intel64
Source: FSYOvyvMMT80PCsMousFK1Xa.exe, 0000000B.00000002.2435161937.000000000025E000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: https://t.me/irfail
Source: FSYOvyvMMT80PCsMousFK1Xa.exe, 0000000B.00000002.2435161937.000000000025E000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: https://t.me/irfailAt
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.00000000019C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot.52nia
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_boteriSign
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tagmanager.google.com
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.org
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ton.twimg.com
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167644651.000001D701F18000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167644651.000001D701F18000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe3
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167644651.000001D701F18000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exep
Source: qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2623125717.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/browser_reports?dest=default_reports
Source: qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTKnt3
Source: qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668627934?hash=KOcSmbd2hjdTG4DLhdJgoCSrHOpCJeuTNRte86dnj0k&dl=iwW1iFTFzY3z
Source: qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668652542?hash=KlAQZ4zXtzzV5eLSZ1KaXKdCOpfsWxOfH5GyV92XrPL&dl=yPhjzrub8w5M
Source: qk9TaBBxh8.exe, 00000000.00000003.2167644651.000001D701F18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668769608?hash=EJK4IigrO9hmPOkFxXqpLliN8ksP1vifJqKZbhFKHvw&dl=HyyWNdLGIElg
Source: qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668771194?hash=7dzZFNgNMhFnf8UKhZ88SSJWzznhZJIEKWOI1nQNlbw&dl=jwd31UuZgmzf
Source: qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167644651.000001D701F18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08Gc
Source: qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F0E000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167644651.000001D701F18000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668771194?hash=7dzZFNgNMhFnf8UKhZ88SSJWzznhZJIEKWOI1nQNlbw&dl=jwd31UuZg
Source: qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.ru
Source: qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2452855135.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2465996225.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2457158395.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449377666.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449563727.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468746507.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450463415.0000022634F28000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468946975.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2451130803.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449434243.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2450640619.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468795113.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2449615473.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468664100.0000022634F2A000.00000004.00000020.00020000.00000000.sdmp, Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2468605258.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.instagram.com
Source: zFe0EAtgy56yDxXht4nmozfb.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.mozilla.org/about/P.exe
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.security.us.panasonic.com
Source: qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yastatic.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000017.00000002.2720784429.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2724393718.0000000003961000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 17.1.tXlQ3NLbQqxBkFS_TfaDHWX4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000001.2435771287.0000000000843000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\TmpFEA6.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\TmpFE95.tmp			Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.0.nRGT2oA3F8V3EBSM6dmMTrGw.exe.d10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000017.00000002.2716540059.0000000001AFF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000F.00000002.3021827597.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000017.00000002.2720784429.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000017.00000002.2719169995.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000F.00000002.3022350261.0000000001CBF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.2724393718.0000000003961000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001C.00000002.2938091738.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: lumma1504[1].exe.7.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 307200
Source: JpL3YVeZ0uQ2FWGpg5WG.exe.7.dr, RemoteObjects.cs	Large array initialization: RemoteObjects: array initializer size 307200

PE file contains section with special chars

Source: qk9TaBBxh8.exe	Static PE information: section name: .vmp(R
Source: qk9TaBBxh8.exe	Static PE information: section name: .vmp(R
Source: qk9TaBBxh8.exe	Static PE information: section name: .vmp(R
Source: qk9TaBBxh8.exe	Static PE information: section name: .vmp(R
Source: Space_bake[1].exe.0.dr	Static PE information: section name: 8<&>8<&>
Source: Space_bake[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: Space_bake[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: Space_bake[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: Space_bake[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: section name: 8<&>8<&>
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: section name: .vmp$~
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: section name: .vmp$~
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: section name: .vmp$~
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: section name: .vmp$~
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: section name:
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: section name:
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: section name:
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: section name:
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: 8<&>8<&>
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: section name: 8<&>8<&>
Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: section name: .vmp$~
Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: section name: .vmp$~
Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: section name: .vmp$~
Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: section name: .vmp$~
Source: Default16_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Default16_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Default16_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Default16_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: zFe0EAtgy56yDxXht4nmozfb.exe.0.dr	Static PE information: section name: .vmp(R
Source: zFe0EAtgy56yDxXht4nmozfb.exe.0.dr	Static PE information: section name: .vmp(R
Source: zFe0EAtgy56yDxXht4nmozfb.exe.0.dr	Static PE information: section name: .vmp(R
Source: zFe0EAtgy56yDxXht4nmozfb.exe.0.dr	Static PE information: section name: .vmp(R

Uses powercfg.exe to modify the power settings

Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe

Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_05CDD590 NtUnmapViewOfSection,		10_2_05CDD590
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_05CDD58B NtUnmapViewOfSection,		10_2_05CDD58B

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Windows\System32\GroupPolicy\gpt.ini	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Windows\System32\GroupPolicy\Machine	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Windows\System32\GroupPolicy\User	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A8925D	7_2_00A8925D
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009AC490	7_2_009AC490
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009FA490	7_2_009FA490
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009FB4B0	7_2_009FB4B0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009F64A0	7_2_009F64A0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A36450	7_2_00A36450
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009F8520	7_2_009F8520
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009DB750	7_2_009DB750
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009D8770	7_2_009D8770
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009D78A0	7_2_009D78A0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009DC800	7_2_009DC800
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009E2940	7_2_009E2940
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009D9A80	7_2_009D9A80
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009CEB90	7_2_009CEB90
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009D4B20	7_2_009D4B20
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009FCC40	7_2_009FCC40
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009ABFC0	7_2_009ABFC0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA00C2	7_2_00CA00C2
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A2E040	7_2_00A2E040
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9B02C	7_2_00C9B02C
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CC0020	7_2_00CC0020
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A30100	7_2_00A30100
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009EC160	7_2_009EC160
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9A285	7_2_00C9A285
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A27270	7_2_00A27270
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9F3FC	7_2_00C9F3FC
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A803D0	7_2_00A803D0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9A359	7_2_00C9A359
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A1F360	7_2_00A1F360
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009B6490	7_2_009B6490
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A344E0	7_2_00A344E0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9948F	7_2_00C9948F
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009A2410	7_2_009A2410
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9F452	7_2_00C9F452
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C97462	7_2_00C97462
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA1473	7_2_00CA1473
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C98403	7_2_00C98403
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A23470	7_2_00A23470
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A8959F	7_2_00A8959F
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9850F	7_2_00C9850F
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA153B	7_2_00CA153B
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A12630	7_2_00A12630
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009A2600	7_2_009A2600
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A2F7B0	7_2_00A2F7B0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009AE7B0	7_2_009AE7B0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A10760	7_2_00A10760
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009D3740	7_2_009D3740
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A11830	7_2_00A11830
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9B877	7_2_00C9B877
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A9B84F	7_2_00A9B84F
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009BF9B0	7_2_009BF9B0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A9D9FE	7_2_00A9D9FE
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C97930	7_2_00C97930
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C97A49	7_2_00C97A49
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9BA4C	7_2_00C9BA4C
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A21A30	7_2_00A21A30
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009EEB90	7_2_009EEB90
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A85B90	7_2_00A85B90
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA0B7D	7_2_00CA0B7D
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A83B58	7_2_00A83B58
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA0C82	7_2_00CA0C82
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9AC9E	7_2_00C9AC9E
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A96CC5	7_2_00A96CC5
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9FC4E	7_2_00C9FC4E
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9AD20	7_2_00C9AD20
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C97EFF	7_2_00C97EFF
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A23EF0	7_2_00A23EF0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009B8EE0	7_2_009B8EE0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA0E1A	7_2_00CA0E1A
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A3EE70	7_2_00A3EE70
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A30E40	7_2_00A30E40
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A22FE0	7_2_00A22FE0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A33FF0	7_2_00A33FF0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C96F26	7_2_00C96F26
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69ADB6B0	10_2_69ADB6B0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69AF4970	10_2_69AF4970
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B20B89	10_2_69B20B89
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69AB8B30	10_2_69AB8B30
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69AF4AC0	10_2_69AF4AC0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69AD2D70	10_2_69AD2D70
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B2AC29	10_2_69B2AC29
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B04EE0	10_2_69B04EE0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69ACA0C0	10_2_69ACA0C0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B063B0	10_2_69B063B0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B12310	10_2_69B12310
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B2A54D	10_2_69B2A54D
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69AF4550	10_2_69AF4550
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69ABC7B0	10_2_69ABC7B0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69ABA7E0	10_2_69ABA7E0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69AB6650	10_2_69AB6650
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B2B964	10_2_69B2B964
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B058D5	10_2_69B058D5
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B058D7	10_2_69B058D7
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B05830	10_2_69B05830
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B29AAB	10_2_69B29AAB
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B25DD2	10_2_69B25DD2
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B05DD0	10_2_69B05DD0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B11CA0	10_2_69B11CA0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69AF3C90	10_2_69AF3C90
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B2BFF1	10_2_69B2BFF1
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B29FFC	10_2_69B29FFC
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B05EB9	10_2_69B05EB9
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69AF3E50	10_2_69AF3E50
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B05050	10_2_69B05050
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B05274	10_2_69B05274
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69AF3260	10_2_69AF3260
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69AF3460	10_2_69AF3460
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_032CCA28	10_2_032CCA28
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_032CA9B8	10_2_032CA9B8
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_032C9890	10_2_032C9890
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_032C8368	10_2_032C8368
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_032C1120	10_2_032C1120
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_032C6F59	10_2_032C6F59
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_032C0D60	10_2_032C0D60
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_032C0D70	10_2_032C0D70
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_05CD0040	10_2_05CD0040
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_05CD31C0	10_2_05CD31C0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_05CD31B0	10_2_05CD31B0
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_05CD2E58	10_2_05CD2E58
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_066D26F8	10_2_066D26F8
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_066D0EB3	10_2_066D0EB3
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_066D26DD	10_2_066D26DD
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_066D0930	10_2_066D0930

Source: Joe Sandbox View	Dropped File: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe F5913E753281DBDF88F36C73D13AFBF4AF62046E25F8E148E87A80E88818C4D7
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: String function: 00A09F00 appears 32 times
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: String function: 00A0A190 appears 47 times
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: String function: 69B19B35 appears 141 times
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: String function: 69B1D520 appears 31 times
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: String function: 69B190D8 appears 51 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3108 -ip 3108

Source: qk9TaBBxh8.exe

Static PE information: invalid certificate

Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr

Static PE information: Resource name: AUUPG type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: Number of sections : 16 > 10
Source: zFe0EAtgy56yDxXht4nmozfb.exe.0.dr	Static PE information: Number of sections : 14 > 10
Source: qk9TaBBxh8.exe	Static PE information: Number of sections : 15 > 10
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: Number of sections : 16 > 10
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe.0.dr	Static PE information: Number of sections : 12 > 10
Source: Default16_team[1].exe.0.dr	Static PE information: Number of sections : 14 > 10
Source: Space_bake[1].exe.0.dr	Static PE information: Number of sections : 16 > 10
Source: Retailer_prog[1].exe.0.dr	Static PE information: Number of sections : 16 > 10

Source: qk9TaBBxh8.exe, 00000000.00000003.2127725914.000001D7023A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires0 vs qk9TaBBxh8.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2167052907.000001D7021D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zS.sfx.exe, vs qk9TaBBxh8.exe
Source: qk9TaBBxh8.exe, 00000000.00000000.2050186808.00007FF6543E0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCookComputing.XmlRpcV2.dll8 vs qk9TaBBxh8.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2142101955.000001D702828000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires0 vs qk9TaBBxh8.exe
Source: qk9TaBBxh8.exe, 00000000.00000003.2167052907.000001D702214000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zS.sfx.exe, vs qk9TaBBxh8.exe

Source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.0.nRGT2oA3F8V3EBSM6dmMTrGw.exe.d10000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000017.00000002.2716540059.0000000001AFF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000F.00000002.3021827597.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000017.00000002.2720784429.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000017.00000002.2719169995.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000F.00000002.3022350261.0000000001CBF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.2724393718.0000000003961000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001C.00000002.2938091738.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon version
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon version

Source: lumma1504[1].exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JpL3YVeZ0uQ2FWGpg5WG.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997554064239332
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: Section: ZLIB complexity 1.000469355620155
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9892578125
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9994283536585366
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@286/417@0/31

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe

File created: C:\Users\user\Documents\SimpleAdobe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_03
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_11
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

File created: C:\Users\user\AppData\Local\Temp\adobeIT8d9rZTEaOT

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe

File opened: C:\Windows\system32\eecb8e3d148e90cd8ce98b246c214dcb08cf518c0aae8ec46d78507853acaa3fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe

File read: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2928161171.0000000000AB6000.00000040.00000001.01000000.00000006.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2816985403.0000000000255000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2928161171.0000000000AB6000.00000040.00000001.01000000.00000006.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2816985403.0000000000255000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2802010279.0000000006694000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2825178536.00000000019EB000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2802147748.0000000006698000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2803504037.0000000006694000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2802782433.0000000006686000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2803689741.0000000006698000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2800207275.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801712120.00000000013D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: qk9TaBBxh8.exe	ReversingLabs: Detection: 36%
Source: qk9TaBBxh8.exe	Virustotal: Detection: 25%

Source: zFe0EAtgy56yDxXht4nmozfb.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Process created: C:\Users\user\Desktop\qk9TaBBxh8.exe "C:\Users\user\Desktop\qk9TaBBxh8.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" -s .\SZM3Yb.I -u
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Process created: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp "C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp" /SL4 $20402 "C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe" 3022131 52224
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3108 -ip 3108
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" -s .\SZM3Yb.I -u
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Process created: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp "C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp" /SL4 $20402 "C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe" 3022131 52224
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3108 -ip 3108
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fhsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msidle.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fhcfg.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: efsutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncasvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: httpprxp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wpdbusenum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceconnectapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: dxgidebug.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: riched20.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: usp10.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: msls31.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: pcacli.dll
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: mozglue.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: samcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: sfc.dll
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: winsta.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: sxs.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: amsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: samcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: samlib.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: samcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: sfc.dll
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: gpedit.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: activeds.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: dssec.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: dsuiext.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: framedynos.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: adsldpc.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: authz.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: dsrole.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: ntdsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: amsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Section loaded: msvcr100.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: qk9TaBBxh8.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: qk9TaBBxh8.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: qk9TaBBxh8.exe

Static file information: File size 4334016 > 1048576

Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: qk9TaBBxh8.exe

Static PE information: Raw size of .vmp(R is bigger than: 0x100000 < 0x3cda00

Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbW source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2818869445.0000000000DCD000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2718547054.0000000069B34000.00000002.00000001.01000000.00000021.sdmp, nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2626409081.000000000454D000.00000004.00000800.00020000.00000000.sdmp, nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2693560746.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2626409081.0000000004AC8000.00000004.00000800.00020000.00000000.sdmp, nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2626409081.0000000004331000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2818869445.0000000000DCD000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\laracu valo35\tag\ped\kixe\vevuyohiyiva_yicofok.pdb source: qk9TaBBxh8.exe, 00000000.00000003.2127430688.000001D70232C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2128070226.000001D702377000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127430688.000001D702356000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127511693.000001D702218000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2126674447.000001D7021F6000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127725914.000001D702377000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000003.2613298063.000001DB77B90000.00000004.00001000.00020000.00000000.sdmp, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2622806676.000000C0000AC000.00000004.00001000.00020000.00000000.sdmp, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000266000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: qk9TaBBxh8.exe, 00000000.00000003.2127725914.000001D7023E9000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127725914.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127896153.000001D7023EB000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2126643406.000001D70224D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2128179905.000001D70245C000.00000004.00000020.00020000.00000000.sdmp, T9n2wvLQ1PO2GfTxLTyp21hE.exe, 0000000E.00000002.2520477544.00000000002F9000.00000002.00000001.01000000.0000000D.sdmp, T9n2wvLQ1PO2GfTxLTyp21hE.exe, 0000000E.00000000.2397254577.00000000002F9000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbEMP source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2705372697.00000000064C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\Secureuser\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: zFe0EAtgy56yDxXht4nmozfb.exe, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2928592869.0000000000B39000.00000040.00000001.01000000.00000006.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000001.2521718747.00000000002F0000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vuhuyiwulumopo62_soba.pdb source: qk9TaBBxh8.exe, 00000000.00000003.2132642581.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127967224.000001D7021F5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134526384.000001D70245C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2128255759.000001D702217000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2138129759.000001D70245C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2136306601.000001D70245C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130037595.000001D702217000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2129915477.000001D7021B0000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2142101955.000001D7027FE000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2132761360.000001D7023EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Moq.pdbSHA256@ source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\sehuxi\gukulow\tulatesati\wudapul-rarupi.pdb source: qk9TaBBxh8.exe, 00000000.00000003.2142363047.000001D702353000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2145509043.000001D703B50000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141999180.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2149442634.000001D704113000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2142230053.000001D7023EB000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2143104056.000001D702988000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2142675803.000001D702495000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2145072174.000001D703403000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141838147.000001D70224D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2146166478.000001D703DAA000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2142453918.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000003.2613298063.000001DB77B90000.00000004.00001000.00020000.00000000.sdmp, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2622806676.000000C0000AC000.00000004.00001000.00020000.00000000.sdmp, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000266000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Moq.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\projects\polly\src\Polly.Net45\obj\Release\net45\Polly.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2471533821.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbV source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: uic.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583230702.0000000001538000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2472974179.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2818869445.0000000000DD8000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\projects\polly\src\Polly.Net45\obj\Release\net45\Polly.pdbjz source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2448673035.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdboF source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2818869445.0000000000DD8000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2472336262.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2469992759.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbh source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.000000000165A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdbSHA256 source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbeIn source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2705372697.00000000064C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2705372697.00000000064C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.PDB source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583230702.0000000001538000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.PDB source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2583454236.00000000015D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2693560746.0000000005FAA000.00000004.08000000.00040000.00000000.sdmp, nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2626409081.0000000004B84000.00000004.00000800.00020000.00000000.sdmp, nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2626409081.00000000049F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 453C:\laracu valo35\tag\ped\kixe\vevuyohiyiva_yicofok.pdb source: qk9TaBBxh8.exe, 00000000.00000003.2127430688.000001D70232C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2128070226.000001D702377000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127430688.000001D702356000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127511693.000001D702218000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2126674447.000001D7021F6000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127725914.000001D702377000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Jsakr_KmqehdR6ptAH1OzwuM.exe, 0000000C.00000003.2448940390.0000022634F1C000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Unpacked PE file: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Unpacked PE file: 23.2.ocI8OvNXSYwHw7Rg5l6_f8IK.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe

Unpacked PE file: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack

Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe.0.dr

Static PE information: 0x81E836EB [Mon Jan 24 10:54:35 2039 UTC]

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Code function: 7_2_009B8BB0 LoadLibraryA,GetProcAddress,

7_2_009B8BB0

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp(R

Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6283546

Source: 45NBK9axc23mjqmbKvmG0NYP.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x6b986a
Source: T9n2wvLQ1PO2GfTxLTyp21hE.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2e406a
Source: setup294[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2e406a
Source: TUBbflj40zqtNIEKWH_MWjeG.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x3428c5
Source: JpL3YVeZ0uQ2FWGpg5WG.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x51fa4
Source: setup[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x6b986a
Source: tXlQ3NLbQqxBkFS_TfaDHWX4.exe.0.dr	Static PE information: real checksum: 0x443bbc should be: 0x4411b9
Source: lumma1504[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x51fa4
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4a74cf
Source: FSYOvyvMMT80PCsMousFK1Xa.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x6e75f
Source: 060[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x3428c5
Source: cad54ba5b01423b1af8ec10ab5719d97[1].exe.0.dr	Static PE information: real checksum: 0x443bbc should be: 0x4411b9
Source: cjlnYlPYSIAljKunxGKtil91.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x7fbb4

Source: qk9TaBBxh8.exe	Static PE information: section name: _RDATA
Source: qk9TaBBxh8.exe	Static PE information: section name: .vmp(R
Source: qk9TaBBxh8.exe	Static PE information: section name: .themida
Source: qk9TaBBxh8.exe	Static PE information: section name: .vmp(R
Source: qk9TaBBxh8.exe	Static PE information: section name: .vmp(R
Source: qk9TaBBxh8.exe	Static PE information: section name: .vmp(R
Source: setup294[1].exe.0.dr	Static PE information: section name: .didat
Source: T9n2wvLQ1PO2GfTxLTyp21hE.exe.0.dr	Static PE information: section name: .didat
Source: grabber[1].exe.0.dr	Static PE information: section name: _RDATA
Source: Jsakr_KmqehdR6ptAH1OzwuM.exe.0.dr	Static PE information: section name: _RDATA
Source: setup[1].exe.0.dr	Static PE information: section name: .sxdata
Source: 45NBK9axc23mjqmbKvmG0NYP.exe.0.dr	Static PE information: section name: .sxdata
Source: Space_bake[1].exe.0.dr	Static PE information: section name: 8<&>8<&>
Source: Space_bake[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: Space_bake[1].exe.0.dr	Static PE information: section name: .vm_sec
Source: Space_bake[1].exe.0.dr	Static PE information: section name: .themida
Source: Space_bake[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: Space_bake[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: Space_bake[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: section name: 8<&>8<&>
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: section name: .vmp$~
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: section name: .vm_sec
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: section name: .themida
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: section name: .vmp$~
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: section name: .vmp$~
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe.0.dr	Static PE information: section name: .vmp$~
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe.0.dr	Static PE information: section name: .xdata
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: section name:
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: section name:
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: section name:
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: section name:
Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: section name: .themida
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: 8<&>8<&>
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vm_sec
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .themida
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp$~
Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: section name: 8<&>8<&>
Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: section name: .vmp$~
Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: section name: .vm_sec
Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: section name: .themida
Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: section name: .vmp$~
Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: section name: .vmp$~
Source: 70Leo0eE867BJ4vm1aky3Uk3.exe.0.dr	Static PE information: section name: .vmp$~
Source: 123p[1].exe.0.dr	Static PE information: section name: .00cfg
Source: 123p[1].exe.0.dr	Static PE information: section name: .text0
Source: 123p[1].exe.0.dr	Static PE information: section name: .text1
Source: 123p[1].exe.0.dr	Static PE information: section name: .text2
Source: bKj5ORDxbqgwdZav4hyONQmM.exe.0.dr	Static PE information: section name: .00cfg
Source: bKj5ORDxbqgwdZav4hyONQmM.exe.0.dr	Static PE information: section name: .text0
Source: bKj5ORDxbqgwdZav4hyONQmM.exe.0.dr	Static PE information: section name: .text1
Source: bKj5ORDxbqgwdZav4hyONQmM.exe.0.dr	Static PE information: section name: .text2
Source: Default16_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Default16_team[1].exe.0.dr	Static PE information: section name: .themida
Source: Default16_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Default16_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: Default16_team[1].exe.0.dr	Static PE information: section name: .vmp(R
Source: zFe0EAtgy56yDxXht4nmozfb.exe.0.dr	Static PE information: section name: .vmp(R
Source: zFe0EAtgy56yDxXht4nmozfb.exe.0.dr	Static PE information: section name: .themida
Source: zFe0EAtgy56yDxXht4nmozfb.exe.0.dr	Static PE information: section name: .vmp(R
Source: zFe0EAtgy56yDxXht4nmozfb.exe.0.dr	Static PE information: section name: .vmp(R
Source: zFe0EAtgy56yDxXht4nmozfb.exe.0.dr	Static PE information: section name: .vmp(R

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA00C2 push esi; mov dword ptr [esp], ebp	7_2_00E80367
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA00C2 push 4F06C92Dh; mov dword ptr [esp], eax	7_2_00E803EE
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA00C2 push 7636159Eh; mov dword ptr [esp], ebp	7_2_00E8040E
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA00C2 push ebp; mov dword ptr [esp], ebx	7_2_00E80437
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA00C2 push eax; mov dword ptr [esp], 091E1DA7h	7_2_00E8043B
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA00C2 push 0812876Eh; mov dword ptr [esp], edx	7_2_00E80453
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA10DF push 61DAC6FAh; mov dword ptr [esp], ebx	7_2_00E8D06B
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA10DF push 0D85E02Fh; mov dword ptr [esp], ebx	7_2_00E8D07E
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA10DF push edi; mov dword ptr [esp], edx	7_2_00E8D106
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA10DF push 2D7165BDh; mov dword ptr [esp], eax	7_2_00E8D136
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA10DF push 113FA432h; mov dword ptr [esp], edx	7_2_00E8D185
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA10DF push esi; mov dword ptr [esp], edi	7_2_00E8D1B4
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00CA10DF push 16F8509Dh; mov dword ptr [esp], ebp	7_2_00E8D1F2
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9C0DE push edi; mov dword ptr [esp], 74987DF3h	7_2_00E8B466
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9C0DE push 0A356C75h; mov dword ptr [esp], edx	7_2_00E8B4A6
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9C0DE push 2DB481B2h; mov dword ptr [esp], ebp	7_2_00E8B4BE
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9C0DE push edi; mov dword ptr [esp], 000AAB40h	7_2_00E8B4F4
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9C0DE push ecx; mov dword ptr [esp], edi	7_2_00E8B544
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9C0DE push 67A52874h; mov dword ptr [esp], esi	7_2_00E8B55D
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9C0DE push 4DB8E5FAh; mov dword ptr [esp], esi	7_2_00E8B56B
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9C0DE push ebp; mov dword ptr [esp], esi	7_2_00E8B5C7
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9C0DE push ecx; mov dword ptr [esp], 689A5673h	7_2_00E8B5DE
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9A085 push esi; mov dword ptr [esp], ecx	7_2_00E83CF7
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9A085 push ecx; mov dword ptr [esp], edi	7_2_00E83D18
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9A085 push edx; mov dword ptr [esp], 1C8962A3h	7_2_00E83D62
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9A085 push 27573FFCh; mov dword ptr [esp], eax	7_2_00E83DAF
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9F059 push eax; mov dword ptr [esp], ecx	7_2_00E7F5E2
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9F059 push 4E72897Dh; mov dword ptr [esp], ebp	7_2_00E7F5F3
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9F059 push 390B7670h; mov dword ptr [esp], ebx	7_2_00E7F5FB
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9F059 push edi; mov dword ptr [esp], 000AA9F8h	7_2_00E7F62C
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00C9F059 push ecx; mov dword ptr [esp], 0B2FAB06h	7_2_00E7F68F

Source: ooon0i8sg2EZy1pci_ppgkth.exe.0.dr	Static PE information: section name: entropy: 7.999611881196484
Source: lumma1504[1].exe.7.dr	Static PE information: section name: .text entropy: 7.996781792059311
Source: JpL3YVeZ0uQ2FWGpg5WG.exe.7.dr	Static PE information: section name: .text entropy: 7.996781792059311

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Jump to dropped file

Found pyInstaller with non standard icon

Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe

Process created: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\charset_normalizer\md.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\d4814c7a[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\charset_normalizer\md__mypyc.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	File created: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\pywin32_system32\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Soul Media Player\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\setup294[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\python38.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\exe\registers.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BMP08.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Soul Media Player\is-EGFT5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\rules[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\grabber[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\pywin32_system32\pythoncom38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Soul Media Player\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	File created: C:\Users\user\AppData\Local\Temp\heidiIT8d9rZTEaOT\JpL3YVeZ0uQ2FWGpg5WG.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BMP08.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\twain_32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\win32\win32security.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\cacls.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\zstandard\backend_c.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Soul Media Player\soulmediaplayer.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\atieclxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	File created: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\win32\win32wnet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Space_bake[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Soul Media Player\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	File created: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\zstandard\_cffi.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Soul Media Player\is-TIE2M.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\btswgej	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\Default16_team[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\060[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\win32\win32net.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\BdeUISrv.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\_elementtree.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\exe\netconn_properties.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BMP08.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\123p[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	File created: C:\Users\user\AppData\Local\Temp\SZM3Yb.I	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\lumma1504[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\AggregatorHost.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Soul Media Player\libssl-1_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\at.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Soul Media Player\is-GP76V.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\timeSync[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Soul Media Player\is-3VR8O.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File created: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BMP08.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	File created: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	File created: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	File created: C:\Users\user\AppData\Local\Temp\SZM3Yb.I			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\btswgej			Jump to dropped file

Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\128.png
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\manifest.json
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\performance.js
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\popup.css
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\popup.html
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\popup.js
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\worker.js
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\_metadata
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjnniijcjakoaghpedjpcfkoclplenf\3.0_0\_metadata\verified_contents.json
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\btswgej:Zone.Identifier read attributes | delete

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Memory written: PID: 3608 base: 7FFDB4590008 value: E9 EB D9 E9 FF
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Memory written: PID: 3608 base: 7FFDB442D9F0 value: E9 20 26 16 00

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Code function: 7_2_00A21A30 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_00A21A30

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: nRGT2oA3F8V3EBSM6dmMTrGw.exe PID: 3108, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Found API chain indicative of sandbox detection

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

graph_7-49423

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

graph_7-49424

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Stalling execution: Execution stalls by calling Sleep

graph_7-49468

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: FSYOvyvMMT80PCsMousFK1Xa.exe, 0000000B.00000002.2435161937.000000000025E000.00000004.00000001.01000000.00000007.sdmp

Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Special instruction interceptor: First address: 7FF653CAC146 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Special instruction interceptor: First address: 613339 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Special instruction interceptor: First address: C4B373 instructions caused by: Self-modifying code

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Memory allocated: 5330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: FC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2C80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch

Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

7_2_009FD9F0

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Window / User API: threadDelayed 1047	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Window / User API: threadDelayed 1613	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1069
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 442

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_7-49489

Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\charset_normalizer\md.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\python3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\charset_normalizer\md__mypyc.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soul Media Player\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\pywin32_system32\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\win32\win32api.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\python38.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\exe\registers.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BMP08.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soul Media Player\is-EGFT5.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\pywin32_system32\pythoncom38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soul Media Player\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiIT8d9rZTEaOT\JpL3YVeZ0uQ2FWGpg5WG.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BMP08.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\twain_32.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\win32\win32security.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\select.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\cacls.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\zstandard\backend_c.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soul Media Player\soulmediaplayer.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\atieclxx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\win32\win32wnet.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soul Media Player\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\zstandard\_cffi.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Dropped PE file which has not been started: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soul Media Player\is-TIE2M.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\win32\win32net.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\BdeUISrv.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\_elementtree.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\exe\netconn_properties.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BMP08.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\SZM3Yb.I	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\lumma1504[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\AggregatorHost.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soul Media Player\libssl-1_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\at.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soul Media Player\is-GP76V.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soul Media Player\is-3VR8O.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BMP08.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI40602\unicodedata.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe TID: 6536	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe TID: 3892	Thread sleep count: 1047 > 30	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe TID: 3892	Thread sleep time: -209400s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe TID: 5168	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe TID: 3852	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe TID: 6724	Thread sleep count: 1613 > 30	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe TID: 6724	Thread sleep time: -162913s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe TID: 5828	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe TID: 4156	Thread sleep count: 156 > 30
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe TID: 5320	Thread sleep count: 85 > 30
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe TID: 5320	Thread sleep count: 155 > 30
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe TID: 6936	Thread sleep count: 60 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6104	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1464	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\explorer.exe TID: 3556	Thread sleep time: -31500s >= -30000s

Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Last function: Thread delayed
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_00A7B1CB FindFirstFileExW,GetLastError,		7_2_00A7B1CB
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009AB300 FindFirstFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,		7_2_009AB300

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\

Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2559070588.0000000001961000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}6`
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.000000000194B000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.000000000198D000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.000000000133A000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001CD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2935186807.0000000006678000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}rogramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2558145071.0000000001350000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.000000000133A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2831094134.0000000006694000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: H4sIAAAAAAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2534399884.00000000017B0000.00000004.00001000.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2534914256.00000000017B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__=l{TW
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832513735.0000000006771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuV`yw
Source: svchost.exe, 00000004.00000003.2064877424.000001B660644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.000000000194B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: svchost.exe, 00000004.00000003.2064714090.000001B660644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2558145071.0000000001350000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2723423186.000001DB32588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2530760258.00000000017B0000.00000004.00001000.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2532049009.00000000017B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__=l{TW
Source: svchost.exe, 00000002.00000002.2365281795.000001721B402000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2533712340.00000000017B0000.00000004.00001000.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2535385556.00000000017B0000.00000004.00001000.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2532394450.00000000017B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__=l{TW
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2832757833.000000000678C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.000000000198D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn&pd

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe

System information queried: CodeIntegrityInformation

Hides threads from debuggers

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Process queried: DebugPort

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe

Code function: 10_2_69B2496E UnDecorator::getDataIndirectType,LdrInitializeThunk,DName::operator+=,DName::operator+,UnDecorator::getScope,DName::DName,DName::operator+,DName::operator+=,DName::operator+=,DName::operator+=,DName::operator+=,DName::operator+=,DName::DName,DName::operator+,

10_2_69B2496E

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe

Code function: 10_2_69B1B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_69B1B144

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Code function: 7_2_009B8BB0 LoadLibraryA,GetProcAddress,

7_2_009B8BB0

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009B60B0 mov ecx, dword ptr fs:[00000030h]	7_2_009B60B0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009FD9F0 mov eax, dword ptr fs:[00000030h]	7_2_009FD9F0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009FD9F0 mov eax, dword ptr fs:[00000030h]	7_2_009FD9F0
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009BAB90 mov eax, dword ptr fs:[00000030h]	7_2_009BAB90
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Code function: 7_2_009B46B0 mov eax, dword ptr fs:[00000030h]	7_2_009B46B0

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Code function: 7_2_009A94C0 OutputDebugStringA,GetModuleHandleA,GetProcAddress,GetProcessHeap,HeapAlloc,HeapFree,HeapAlloc,HeapFree,

7_2_009A94C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B1B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		10_2_69B1B144
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Code function: 10_2_69B1948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		10_2_69B1948B

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: btswgej.37.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 102.53.9.151 80

Allocates memory in foreign processes

Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C00000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe

Thread created: C:\Windows\explorer.exe EIP: 87E19D0

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware			Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{F7268D09-0253-482E-9684-37327F29D4B0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF654269878	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	NtProtectVirtualMemory: Direct from: 0x140FC862F
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF65424AA01	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF654306125	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	NtOpenFile: Direct from: 0x140FBCAB9
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF654099F90	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	NtProtectVirtualMemory: Direct from: 0x1416B420B
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF654268F99	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF654259802	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	NtProtectVirtualMemory: Indirect: 0x140F595B5
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtQueryInformationProcess: Indirect: 0x7FF653EDEC0A	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF654099B9D	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	NtProtectVirtualMemory: Direct from: 0x1416AD85D
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF65425115C	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF654271721	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF65426DF36	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtQuerySystemInformation: Indirect: 0x7FF653E74BC9	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	NtProtectVirtualMemory: Direct from: 0x140FBCAC6
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF65426ADC1	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF6542317FC	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtSetInformationThread: Indirect: 0x7FF653EDC44F	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	NtMapViewOfSection: Direct from: 0x14102BFF1
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	NtProtectVirtualMemory: Direct from: 0x141037F5D
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	NtProtectVirtualMemory: Direct from: 0x141699636
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	NtProtectVirtualMemory: Direct from: 0x141019C6D
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtQueryInformationProcess: Indirect: 0x7FF653EDED5F	Jump to behavior
Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	NtProtectVirtualMemory: Direct from: 0x7FF654219A33	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C00000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000372000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: wifeplasterbakewis.shop
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000372000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: mealplayerpreceodsju.shop
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000372000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: bordersoarmanusjuw.shop
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000372000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: suitcaseacanehalk.shop
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000372000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: absentconvicsjawun.shop
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000372000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pushjellysingeywus.shop
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000372000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: economicscreateojsu.shop
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000372000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: entitlementappwo.shop
Source: EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2693327853.000000C000372000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stripmarrystresew.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Documents\SimpleAdobe\ocI8OvNXSYwHw7Rg5l6_f8IK.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read

Sample uses process hollowing technique

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C00000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2BBB008	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 464000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 4C0000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 642000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9E3008	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BE0008

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\FSYOvyvMMT80PCsMousFK1Xa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" -s .\SZM3Yb.I -u
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\cjlnYlPYSIAljKunxGKtil91.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3108 -ip 3108
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe

Code function: 10_2_69B184B0 cpuid

10_2_69B184B0

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\EWdN3bvBjxAbF1GyzHE7_p73.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\70Leo0eE867BJ4vm1aky3Uk3.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40602\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40602\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40602\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40602\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40602\zstandard VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI40602\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe

Code function: 7_2_00A7C84D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

7_2_00A7C84D

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{C3174531-87C3-4E8A-B459-F082A9BDC670}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{F7268D09-0253-482E-9684-37327F29D4B0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{F7268D09-0253-482E-9684-37327F29D4B0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{F7268D09-0253-482E-9684-37327F29D4B0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{F7268D09-0253-482E-9684-37327F29D4B0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{F7268D09-0253-482E-9684-37327F29D4B0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{F7268D09-0253-482E-9684-37327F29D4B0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{F7268D09-0253-482E-9684-37327F29D4B0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{F7268D09-0253-482E-9684-37327F29D4B0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{F7268D09-0253-482E-9684-37327F29D4B0}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	Registry value created: Exclusions_Extensions 1			Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	Registry value created: Exclusions_Extensions 1

Modifies Group Policy settings

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Modifies power options to not sleep / hibernate

Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

Source: C:\Users\user\Desktop\qk9TaBBxh8.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\Documents\SimpleAdobe\tXlQ3NLbQqxBkFS_TfaDHWX4.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Glupteba

Source: Yara match	File source: 17.1.tXlQ3NLbQqxBkFS_TfaDHWX4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000001.2435771287.0000000000843000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY

Yara detected Mars stealer

Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1c00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1bd0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3021827597.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2405630696.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3015167493.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.nRGT2oA3F8V3EBSM6dmMTrGw.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2626409081.00000000044AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2626409081.000000000454D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 19.2.cjlnYlPYSIAljKunxGKtil91.exe.aeac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.cjlnYlPYSIAljKunxGKtil91.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.cjlnYlPYSIAljKunxGKtil91.exe.aeac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000002.2809504099.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2626409081.00000000044AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2626409081.000000000454D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2439089037.00000000000AE000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2970352519.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RisePro Stealer

Source: Yara match	File source: 7.2.zFe0EAtgy56yDxXht4nmozfb.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eQEIduvtZVhzsp4oDFOuc1gy.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.2850327356.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2852539306.00000000066F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eQEIduvtZVhzsp4oDFOuc1gy.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\J4dorNOROd60TEXKOpUsDEA.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\YrWSGTvMbD1qxqADGULdj7d.zip, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 00000017.00000002.2720784429.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2724393718.0000000003961000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000000F.00000002.3022417132.0000000001CD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NyiVs23yIO_0wMOj5TwwBpJ5.exe PID: 3704, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1c00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.FSYOvyvMMT80PCsMousFK1Xa.exe.25eac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.FSYOvyvMMT80PCsMousFK1Xa.exe.25eac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.FSYOvyvMMT80PCsMousFK1Xa.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1bd0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3021827597.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2938091738.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2976391613.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2405630696.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2938091738.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3015167493.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2435161937.000000000025E000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FSYOvyvMMT80PCsMousFK1Xa.exe PID: 3884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NyiVs23yIO_0wMOj5TwwBpJ5.exe PID: 3704, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.nRGT2oA3F8V3EBSM6dmMTrGw.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: qk9TaBBxh8.exe, 00000000.00000003.2133362351.000001D702131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: TITLe=PqReuElOduOrgsLsxWdIfSpCkXIpJffDrFgNSfOTIoOvihLdLHCvwSQGslZygAOktHpJAxxfDTyUJaltQwGJzOIYYOTDxxHxVrWFYIwevrxmbIgrW
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2935186807.0000000006692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2935186807.0000000006692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2935186807.0000000006692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2626409081.000000000454D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore
Source: NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\signons.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\formhistory.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\places.sqlite

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Directory queried: C:\Users\user\Documents\SimpleAdobe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe	Directory queried: C:\Users\user\Documents\SimpleAdobe	Jump to behavior

Source: Yara match	File source: 0000000F.00000002.3015167493.0000000000447000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2976391613.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2970352519.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zFe0EAtgy56yDxXht4nmozfb.exe PID: 2448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NyiVs23yIO_0wMOj5TwwBpJ5.exe PID: 3704, type: MEMORYSTR

Remote Access Functionality

Yara detected Glupteba

Source: Yara match	File source: 17.1.tXlQ3NLbQqxBkFS_TfaDHWX4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000001.2435771287.0000000000843000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY

Yara detected Mars stealer

Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1c00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1bd0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3021827597.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2405630696.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3015167493.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.nRGT2oA3F8V3EBSM6dmMTrGw.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2626409081.00000000044AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2626409081.000000000454D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 19.2.cjlnYlPYSIAljKunxGKtil91.exe.aeac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.cjlnYlPYSIAljKunxGKtil91.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.cjlnYlPYSIAljKunxGKtil91.exe.aeac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000002.2809504099.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2626409081.00000000044AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2626409081.000000000454D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2439089037.00000000000AE000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2970352519.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RisePro Stealer

Source: Yara match	File source: 7.2.zFe0EAtgy56yDxXht4nmozfb.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.eQEIduvtZVhzsp4oDFOuc1gy.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.2850327356.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2852539306.00000000066F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eQEIduvtZVhzsp4oDFOuc1gy.exe PID: 4160, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\J4dorNOROd60TEXKOpUsDEA.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\YrWSGTvMbD1qxqADGULdj7d.zip, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 00000017.00000002.2720784429.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2724393718.0000000003961000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000000F.00000002.3022417132.0000000001CD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NyiVs23yIO_0wMOj5TwwBpJ5.exe PID: 3704, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1c00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.FSYOvyvMMT80PCsMousFK1Xa.exe.25eac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.FSYOvyvMMT80PCsMousFK1Xa.exe.25eac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.FSYOvyvMMT80PCsMousFK1Xa.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.NyiVs23yIO_0wMOj5TwwBpJ5.exe.1bd0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3021827597.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2938091738.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2976391613.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2405630696.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2938091738.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3015167493.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2435161937.000000000025E000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FSYOvyvMMT80PCsMousFK1Xa.exe PID: 3884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NyiVs23yIO_0wMOj5TwwBpJ5.exe PID: 3704, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.nRGT2oA3F8V3EBSM6dmMTrGw.exe.456c010.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.nRGT2oA3F8V3EBSM6dmMTrGw.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe, type: DROPPED

Source: C:\Users\user\Documents\SimpleAdobe\nRGT2oA3F8V3EBSM6dmMTrGw.exe

Code function: 10_2_69ACA0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress,

10_2_69ACA0C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
1 Software	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	51 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Windows Service	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 Credential API Hooking	14 File and Directory Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Browser Extensions	1 Bypass User Account Control	1 Abuse Elevation Control Mechanism	1 Credentials in Registry	236 System Information Discovery	SMB/Windows Admin Shares	41 Data from Local System	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Exploitation for Client Execution	1 Scheduled Task/Job	1 Windows Service	4 Obfuscated Files or Information	NTDS	1 Query Registry	Distributed Component Object Model	1 Email Collection	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	711 Process Injection	1 Install Root Certificate	LSA Secrets	1371 Security Software Discovery	SSH	1 Credential API Hooking	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 Scheduled Task/Job	RC Scripts	1 Scheduled Task/Job	24 Software Packing	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	1 PowerShell	Startup Items	11 Registry Run Keys / Startup Folder	1 Timestomp	DCSync	761 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Masquerading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	761 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	711 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Files and Directories	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
qk9TaBBxh8.exe	37%	ReversingLabs	Win64.Trojan.Znyonm
qk9TaBBxh8.exe	26%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Avira	HEUR/AGEN.1361904
C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	100%	Avira	TR/AD.Nekark.sbdpe
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	100%	Joe Sandbox ML
C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	92%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	88%	ReversingLabs	Win64.Trojan.Privateloader
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe	92%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\Retailer_prog[1].exe	32%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\123p[1].exe	88%	ReversingLabs	Win64.Trojan.Privateloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Space_bake[1].exe	31%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\Default16_team[1].exe	71%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cad54ba5b01423b1af8ec10ab5719d97[1].exe	43%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\grabber[1].exe	26%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\lumma1504[1].exe	92%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\sqln[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Soul Media Player\is-3VR8O.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Soul Media Player\is-EGFT5.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Soul Media Player\is-GP76V.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Soul Media Player\libeay32.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Soul Media Player\libssl-1_1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Soul Media Player\ssleay32.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\AggregatorHost.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\BdeUISrv.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\Install.exe	34%	ReversingLabs	Win32.Adware.Generic
C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\at.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\atieclxx.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\cacls.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zSDDAF.tmp\twain_32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\MSVCP140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\Pythonwin\mfc140u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\Pythonwin\win32ui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\_elementtree.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI40602\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs

Source	Detection	Scanner	Link
http://193.233.132.139/dacha/rules.exe	25%	Virustotal	Browse
http://185.172.128.23/8e6d9db21fb63946/nss3.dll	20%	Virustotal	Browse
http://185.172.128.23/f993692117a3fda2.phpt	16%	Virustotal	Browse
https://palberryslicker.sbs/	4%	Virustotal	Browse
https://baldurgatez.com/	3%	Virustotal	Browse
http://185.172.128.23/8e6d9db21fb63946/mozglue.dll	8%	Virustotal	Browse
http://185.172.128.23/8e6d9db21fb63946/sqlite3.dll	20%	Virustotal	Browse
http://www.innosetup.com	2%	Virustotal	Browse
http://sodez.ru/tmp/index.php	21%	Virustotal	Browse
https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe	5%	Virustotal	Browse
https://stats.vk-portal.net	0%	Virustotal	Browse
http://193.233.132.253/lumma1504.exe	23%	Virustotal	Browse
http://5.42.66.10/download/th/retail.phphps	20%	Virustotal	Browse
https://gigachadfanclub.org/	4%	Virustotal	Browse
http://uama.com.ua/tmp/index.php	17%	Virustotal	Browse
https://monoblocked.com/525403/setup.exexe	13%	Virustotal	Browse
https://urn.to/r/sds_see	0%	Virustotal	Browse
https://carthewasher.net/	15%	Virustotal	Browse
https://monoblocked.com/	15%	Virustotal	Browse
http://185.172.128.23/8e6d9db21fb63946/msvcp140.dll	8%	Virustotal	Browse
https://monoblocked.com/525403/setup.exe	14%	Virustotal	Browse
https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exexe	10%	Virustotal	Browse
http://talesofpirates.net/tmp/index.php	17%	Virustotal	Browse

Name	Malicious	Antivirus Detection	Reputation
http://sodez.ru/tmp/index.php	true	21%, Virustotal, Browse	unknown
http://uama.com.ua/tmp/index.php	true	17%, Virustotal, Browse	unknown
http://talesofpirates.net/tmp/index.php	true	17%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.172.128.23/f993692117a3fda2.phpt	NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	false	16%, Virustotal, Browse	unknown
https://duckduckgo.com/chrome_newtab	zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopResponseR	nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	false		unknown
http://193.233.132.139/dacha/rules.exe	qk9TaBBxh8.exe, 00000000.00000003.2141201425.000001D702104000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false	25%, Virustotal, Browse	unknown
https://duckduckgo.com/ac/?q=	zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=81.181.57.52k	zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.00000000019C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://carthewasher.net/fbdd1d2f6f7fd732cbea599f111537fe/cad54ba5b01423b1af8ec10ab5719d97.exed97.ex	qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701EE7000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701EE7000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701EE7000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701EE9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://t.me/RiseProSUPPORT_IDENTIFIER=Intel64	eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.00000000012EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.172.128.23/8e6d9db21fb63946/nss3.dll	NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001CD5000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse	unknown
https://palberryslicker.sbs/	qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse	unknown
https://papi.vk.com/pushsse/ruim	qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169327203.000001D70213F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://baldurgatez.com/	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse	unknown
https://vk.com/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08Gc	qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167644651.000001D701F18000.00000004.00000020.00020000.00000000.sdmp	false		high
https://vk.com	qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.instagram.com	qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.172.128.23/8e6d9db21fb63946/freebl3.dll3Mu	NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.172.128.23/8e6d9db21fb63946/mozglue.dll	NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse	unknown
https://st6-23.vk.com/dist/web/site_layout.20074c02.css	qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.172.128.23/f993692117a3fda2.phpb36fd1cef167f046e714b525b44eclt-release2949fc6aa0d2f9ea88e	NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3015167493.0000000000549000.00000040.00000001.01000000.0000000A.sdmp	false		unknown
https://st6-23.vk.com/dist/web/page_layout.7b5800c2.js	qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aui-cdn.atlassian.com/	qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F02000.00000004.00000020.00020000.00000000.sdmp	false		high
https://meet.crazyfigs.top/style/060.exeD	qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.172.128.23/8e6d9db21fb63946/sqlite3.dll	NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse	unknown
http://www.innosetup.com	qk9TaBBxh8.exe, 00000000.00000003.2129915477.000001D702263000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2132941283.000001D70220C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130108191.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2132642581.000001D70230A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2132761360.000001D7023EB000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2129915477.000001D7021D9000.00000004.00000020.00020000.00000000.sdmp, TUBbflj40zqtNIEKWH_MWjeG.exe, 00000012.00000000.2397793800.0000000000410000.00000002.00000001.01000000.00000011.sdmp	false	2%, Virustotal, Browse	unknown
http://ACVC.WPF.Service.WcfT	nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	false		unknown
http://193.233.132.253/lumma1504.exeH	zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.00000000019C2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://st6-23.vk.com/dist/web/grip.0b3b493f.js	qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.253/lumma1504.exe	zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2935186807.0000000006678000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2935510140.0000000006790000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	false	23%, Virustotal, Browse	unknown
https://baldurgatez.com/~	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://st6-23.vk.com/dist/web/polyfills.isolated.edaffb7b.js	qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io:443/widget/demo/81.181.57.52.	eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	false		high
https://carthewasher.net/R	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	false		high
http://5.42.66.10/download/123p.exe.203/dl.php	qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://t.me/RiseProSUPPORT	eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.00000000012EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bbuseruploads.s3.amazonaws.com/8b0be658-c958-47a3-96e4-fc8e5fe7c5dc/downloads/dc50f97b-477f-	qk9TaBBxh8.exe, 00000000.00000003.2130037595.000001D702241000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2126739049.000001D70218A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://carthewasher.net/fbdd1d2f6f7fd732cbea599f111537fe/cad54ba5b01423b1af8ec10ab5719d97.exejd	qk9TaBBxh8.exe, 00000000.00000003.2141201425.000001D7020E9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe	qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	false	5%, Virustotal, Browse	unknown
https://stats.vk-portal.net	qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169327203.000001D70213F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://meet.crazyfigs.top/F	qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:	nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	false		unknown
http://185.172.128.23/8e6d9db21fb63946/msvcp140.dllkM-	NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/	eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gigachadfanclub.org/	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse	unknown
http://5.42.66.10/download/th/retail.phphps	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse	unknown
https://r.mradx.net	qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exexe	qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false	10%, Virustotal, Browse	unknown
https://cdn.cookielaw.org/	qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F02000.00000004.00000020.00020000.00000000.sdmp	false		high
https://st6-23.vk.com/dist/web/unauthorized.f646a9e2.js	qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	false		high
https://monoblocked.com/525403/setup.exexe	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp	false	13%, Virustotal, Browse	unknown
https://urn.to/r/sds_see	nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000002.2623125717.0000000003331000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://st6-23.vk.com/css/al/fonts_cnt.c7a76efe.css	qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175246907.000001D7021AC000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2169327203.000001D70213F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.vk.me	qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/moq/moq4	nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	false		high
https://meet.crazyfigs.top/Z	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.172.128.203/dl.phpL	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://t.me/irfailAt	FSYOvyvMMT80PCsMousFK1Xa.exe, 0000000B.00000002.2435161937.000000000025E000.00000004.00000001.01000000.00000007.sdmp	false		high
https://st6-23.vk.com/dist/web/chunks/vkui.847cc706.js	qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	false		high
https://palberryslicker.sbs:80/lander/File_294/setup294.exe;	qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://st6-23.vk.com/dist/web/ui_common.20074c02.css	qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	false		high
https://carthewasher.net/fbdd1d2f6f7fd732cbea599f111537fe/cad54ba5b01423b1af8ec10ab5719d97.exe	qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701EE9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://carthewasher.net/	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false	15%, Virustotal, Browse	unknown
https://monoblocked.com/	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F42000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false	15%, Virustotal, Browse	unknown
https://cdn.ampproject.org	qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://management.core.usgovcloudapi.netGODEBUG	EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2776004100.00007FF6359C9000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://185.172.128.23/8e6d9db21fb63946/msvcp140.dll	NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000002.3022417132.0000000001D22000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse	unknown
https://monoblocked.com/525403/setup.exe	qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp	false	14%, Virustotal, Browse	unknown
https://bitbucket.org/gs	qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/A	eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	false		high
https://c.574859385.xyz/b	qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://st6-23.vk.com/dist/web/css_types.1bff1a5b.js	qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.security.us.panasonic.com	nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	false		high
https://t.me/risepro_bot.52nia	zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.00000000019C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://vk.com:80/doc5294803_668771194?hash=7dzZFNgNMhFnf8UKhZ88SSJWzznhZJIEKWOI1nQNlbw&dl=jwd31UuZg	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118393401.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2118542305.000001D701F0E000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167644651.000001D701F18000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/IsAliveT	nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	false		unknown
https://cdn.syndication.twimg.com	qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_boteriSign	eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.vk.com	qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://securepubads.g.doubleclick.net	qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2823051341.0000000006798000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2806766200.00000000066C8000.00000004.00000020.00020000.00000000.sdmp, zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000003.2804433882.00000000066B2000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2805132778.0000000006240000.00000004.00000020.00020000.00000000.sdmp, eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000003.2801816472.0000000006201000.00000004.00000020.00020000.00000000.sdmp, NyiVs23yIO_0wMOj5TwwBpJ5.exe, 0000000F.00000003.2539258847.0000000001D78000.00000004.00000020.00020000.00000000.sdmp	false		high
https://vk.ru	qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web-security-reports.services.atlassian.com/csp-report/bb-website	qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://management.core.chinacloudapi.cnchacha20poly1305:	EWdN3bvBjxAbF1GyzHE7_p73.exe, EWdN3bvBjxAbF1GyzHE7_p73.exe, 00000008.00000002.2776004100.00007FF6359C9000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
https://palberryslicker.sbs/lander/File_294/setup294.exeS	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199673019888ve74rMozilla/5.0	FSYOvyvMMT80PCsMousFK1Xa.exe, 0000000B.00000002.2435161937.000000000025E000.00000004.00000001.01000000.00000007.sdmp	false		high
https://vk.com/doc5294803_668771194?hash=7dzZFNgNMhFnf8UKhZ88SSJWzznhZJIEKWOI1nQNlbw&dl=jwd31UuZgmzf	qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp	false		high
https://d136azpfpnge1l.cloudfront.net/;	qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F02000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.253/lumma1504.exe0	zFe0EAtgy56yDxXht4nmozfb.exe, 00000007.00000002.2932153038.00000000019C2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199673019888	FSYOvyvMMT80PCsMousFK1Xa.exe, 0000000B.00000002.2435161937.000000000025E000.00000004.00000001.01000000.00000007.sdmp	false		high
http://5.42.66.10/download/th/getimage16.php.php	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://st6-23.vk.com/dist/web/chunks/vkcom-kit-icons.826b9222.js	qk9TaBBxh8.exe, 00000000.00000003.2169098487.000001D70226D000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70226C000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D7021B5000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2175170227.000001D702275000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174809957.000001D7022E1000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D702273000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.us/scalar	EWdN3bvBjxAbF1GyzHE7_p73.exe	false		unknown
https://connect.facebook.net	qk9TaBBxh8.exe, 00000000.00000003.2174961511.000001D70224A000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2168846358.000001D70224A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_bot	eQEIduvtZVhzsp4oDFOuc1gy.exe, 0000000D.00000002.2819469412.0000000001366000.00000004.00000020.00020000.00000000.sdmp	false		high
http://5.42.66.10/download/th/retail.php16.php	qk9TaBBxh8.exe, 00000000.00000003.2141347536.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2167698136.000001D701F29000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2135410810.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2140953938.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2134794548.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2133898149.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2141954361.000001D701F12000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2127220108.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp, qk9TaBBxh8.exe, 00000000.00000003.2130431909.000001D701F0B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopT	nRGT2oA3F8V3EBSM6dmMTrGw.exe, 0000000A.00000000.2397354655.0000000000D12000.00000002.00000001.01000000.00000008.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.233.132.139	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
34.117.186.192	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
85.192.56.26	unknown	Russian Federation	12695	DINET-ASRU	false
37.221.125.202	unknown	Lithuania	62416	PTSERVIDORPT	false
18.205.93.1	unknown	United States	14618	AMAZON-AESUS	false
104.21.82.182	unknown	United States	13335	CLOUDFLARENETUS	false
104.26.5.15	unknown	United States	13335	CLOUDFLARENETUS	false
193.233.132.253	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
87.240.132.72	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
172.67.132.113	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.169.146	unknown	United States	13335	CLOUDFLARENETUS	false
95.142.206.0	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
95.142.206.2	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
147.45.47.93	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
5.42.65.50	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true
95.142.206.1	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
184.30.122.179	unknown	United States	16625	AKAMAI-ASUS	false
104.21.63.150	unknown	United States	13335	CLOUDFLARENETUS	false
102.53.9.151	unknown	Morocco	6713	IAM-ASMA	true
172.67.207.236	unknown	United States	13335	CLOUDFLARENETUS	false
190.12.87.61	unknown	Peru	27843	OPTICALTECHNOLOGIESSACPE	false
37.27.87.155	unknown	Iran (ISLAMIC Republic Of)	39232	UNINETAZ	false
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
193.233.132.226	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
172.67.132.207	unknown	United States	13335	CLOUDFLARENETUS	false
185.172.128.23	unknown	Russian Federation	50916	NADYMSS-ASRU	true
172.67.75.163	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.180.119	unknown	United States	13335	CLOUDFLARENETUS	false
5.42.66.10	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
52.216.33.65	unknown	United States	16509	AMAZON-02US	false
45.130.41.108	unknown	Russian Federation	198610	BEGET-ASRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429030
Start date and time:	2024-04-20 05:47:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	qk9TaBBxh8.exe renamed because original name is a hash value
Original Sample Name:	cb4118382e3f97f0db04938a4e31e3e1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@286/417@0/31
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Execution Graph export aborted for target EWdN3bvBjxAbF1GyzHE7_p73.exe, PID 4540 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
05:47:54	API Interceptor	18x Sleep call for process: qk9TaBBxh8.exe modified
05:48:28	API Interceptor	1x Sleep call for process: nRGT2oA3F8V3EBSM6dmMTrGw.exe modified
05:48:33	API Interceptor	6x Sleep call for process: tXlQ3NLbQqxBkFS_TfaDHWX4.exe modified
05:48:33	API Interceptor	1x Sleep call for process: bKj5ORDxbqgwdZav4hyONQmM.exe modified
05:48:35	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
05:48:38	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
05:48:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
05:48:39	API Interceptor	1226x Sleep call for process: explorer.exe modified
05:48:43	API Interceptor	48x Sleep call for process: RegAsm.exe modified
05:48:48	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
05:49:14	API Interceptor	1379x Sleep call for process: 70Leo0eE867BJ4vm1aky3Uk3.exe modified
05:49:18	Task Scheduler	Run new task: Firefox Default Browser Agent D9A740C159784434 path: C:\Users\user\AppData\Roaming\btswgej
05:49:18	Task Scheduler	Run new task: MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c HR path: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe
05:49:19	Task Scheduler	Run new task: MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c LG path: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe
05:49:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe
05:49:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.233.132.139	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	193.233.132.139/silno/download.php
34.117.186.192	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	uUsgzQ3DoW.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	8BZBgbeCcz.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
85.192.56.26	SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exe	Get hash	malicious	Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	85.192.56.26/api/flash.php
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	85.192.56.26/api/flash.php
	5NlNJIHhTf.exe	Get hash	malicious	Unknown	Browse	85.192.56.26/api/flash.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PTSERVIDORPT	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	37.221.125.202
	SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe	Get hash	malicious	Glupteba, PureLog Stealer, zgRAT	Browse	37.221.125.202
	https://jornaleconomico.pt	Get hash	malicious	Unknown	Browse	185.32.188.231
	https://bestmigration.com.au/sls/As.htm	Get hash	malicious	Unknown	Browse	185.32.189.194
	6NuC4OT0LS.exe	Get hash	malicious	Unknown	Browse	185.32.190.113
	3nbHp9kVxm.exe	Get hash	malicious	Unknown	Browse	185.32.190.113
	duPuDjP64m.exe	Get hash	malicious	SmokeLoader	Browse	185.32.190.113
	S.M.EXProjectXAppilication.xls	Get hash	malicious	SmokeLoader	Browse	185.32.190.113
	Factura.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	185.32.189.185
	Factura.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	185.32.189.185
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	SenPalia.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	SenPalia.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	https://diversityjobs.com/employer/company/1665/Worthington-Industries-Inc	Get hash	malicious	Unknown	Browse	34.66.73.214
	W4tW72sfAD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.186.192
	s.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	s.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	s2dwlCsA95.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	Sp#U251c#U0434ti.exe	Get hash	malicious	DanaBot	Browse	34.117.186.192
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	34.117.186.192
FREE-NET-ASFREEnetEU	s2dwlCsA95.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	SecuriteInfo.com.Win32.Evo-gen.29833.28353.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	193.233.132.167
	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	193.233.132.226
	UeW2b6mU6Z.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.167
	tA6etkt3gb.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	193.233.132.167
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse	185.103.100.31
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse	147.45.67.1
	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	dendy.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
DINET-ASRU	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse	213.248.43.58
	SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exe	Get hash	malicious	Glupteba, PureLog Stealer, zgRAT	Browse	85.192.56.26
	SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exe	Get hash	malicious	Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	85.192.56.26
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	85.192.56.26
	5NlNJIHhTf.exe	Get hash	malicious	Unknown	Browse	85.192.56.26
	8b3ee970a1b172952a665247aa5ff590d12d8f4b33c07.exe	Get hash	malicious	GCleaner, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	85.192.56.26
	e8iuAWz9pB.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	85.192.56.26
	5zq2Yob8xh.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	85.192.56.26
	hyWl33Q2OI.elf	Get hash	malicious	Unknown	Browse	85.192.49.120
	21vew6yzwZ.elf	Get hash	malicious	Gafgyt	Browse	217.18.63.132

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	LXoASvZRu1.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	nXXx6yL69w.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Get hash	malicious	Phonk Miner, PureLog Stealer, Vidar	Browse
	Gpeym6icI3.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	dc8laldmc8.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	TANQUIVUIA.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse
C:\ProgramData\mozglue.dll	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	LXoASvZRu1.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	nXXx6yL69w.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Get hash	malicious	Phonk Miner, PureLog Stealer, Vidar	Browse
	Gpeym6icI3.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	dc8laldmc8.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\NyiVs23yIO_0wMOj5TwwBpJ5.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8745947603342119
Encrypted:	false
SSDEEP:	96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
MD5:	378391FDB591852E472D99DC4BF837DA
SHA1:	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
SHA-256:	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
SHA-512:	F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\kPBjgT9TnN00tvBCDizDiq41.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1049600
Entropy (8bit):	7.586813349499062
Encrypted:	false
SSDEEP:	24576:7peBIQfi0lwzUpIEeQxsxPInhWsn0aDG3W:7UB7f3VxsZ4Wsn00Gm
MD5:	BABB0A05BFFC1AA3AD452F745FF1C9E1
SHA1:	95C86A5F55AB1A5481B4B8ADEE86677A9740B2DE
SHA-256:	1A6CF9AA24099FBC37FAC9B157A5DC41FA7003279749512314DAF8FE6157B27B
SHA-512:	F1FAF7D0C53778FAD98C413FFF2D3CF8DFC4A454B37AB4523B697268D0E81761BB0E6808532B9F819A89F8CBB282151ADD563B3D6E477806EDE20252D89E1C2B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............G...G...G...G...G..:G...G..;G:..G.HG...G...G...GOL>G...G...G...GOL.G...GRich...G........................PE..L....Y.d......................k.....+e............@...........................l.....1........................................Q..x.....j..$..........................0...8....................<.......<..@............................................text............................... ..`.rdata.............................@..@.data.....h..`.......B..............@....rsrc....$....j..&..................@..@................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	315904
Entropy (8bit):	7.9900301024348765
Encrypted:	true
SSDEEP:	6144:DVa+NrJiVBc2wc6oKXwdUWFQg1SGWEWAMiY7ivtaqgntTZXHAYq7:J1NrJaBcOOiHWEWAMFKtdstTfq
MD5:	C60F5FA3A579BCA2C8C377F7E15B2221
SHA1:	D44B5C6DD64284F00D6F9D05CF5327A91CAD9339
SHA-256:	F5913E753281DBDF88F36C73D13AFBF4AF62046E25F8E148E87A80E88818C4D7
SHA-512:	F419ADF4BD07CE18D9B7DE7445B2D0185653DE27738FD4403F880EE11BF49CA8A1958C1B2C94F8F4C5DA52EBC79462CFB6FE71849439F6AF017A95B44AF2F77B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, Detection: malicious, Browse Filename: TANQUIVUIA.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5..........."...0.............~2... ........@.. .......................@............`.................................,2..O............................ .......1..8............................................ ............... ..H............text...H.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................`2......H........$.................................................................]....0..#.........i. .......... .............+B.....- ....d....(....(...............+.......(...........o......X.. ....2.....+7. ....... ..............XX.. ....]...................X.. ....2........+f...+T..X ....].....X ....]...........&...................X ....]..........%G....a.R...X......i2....X.....2....................(....n .........%.....(..........0..H.........89.....P......%G ....X.R.P....

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	101526
Entropy (8bit):	3.068743720093317
Encrypted:	false
SSDEEP:	3072:6Nzzq3EpxCR4KA9a/zJZha7+RY05+Zj/ItqGM6OTzVbz0O5AoiBRp7AxidAC:H
MD5:	4BC97F08C109DC371B0C525529E4FC16
SHA1:	D6A2A9E7832B5564708805FB84454D0C04E9CF3B
SHA-256:	2C4DDAE6C3BEFED2C6339B18B86BEFF3C41F4589E0B152B1FA72FB9817744EA2
SHA-512:	A17A8DB2B047C1FFAB78C90E9E6D7961D7418DC7211F5E12BF6C671485C9982577B634B97B8866F476CF35336EFDD0ABF5A1E0B0B798B09DE9430458D2972450
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

Process:	C:\Users\user\Documents\SimpleAdobe\bKj5ORDxbqgwdZav4hyONQmM.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11214848
Entropy (8bit):	7.97772484802616
Encrypted:	false
SSDEEP:	196608:oPnV1Bk/fRaGxUCBIORz5Z2YoZX0tMmp6tgq1D//XxdgPxwdT:oPKfR/UCBF+dZX0tMft/vxdgpG
MD5:	B091C4848287BE6601D720997394D453
SHA1:	9180E34175E1F4644D5FA63227D665B2BE15C75B
SHA-256:	D0B06CA6ECE3FEF6671FA8ACD3D560A9400891ABCD10F5CEDCFE7BD1E6050DFE
SHA-512:	A3B3663FD343389AEE2CBF76F426401D436992B2B56CEA3B60E9C2E385510FA874FA45B2AC75703074F0303934C4223EAEE1983851374A2E753FD0302042CC5A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....L.f..........#.................y..........@.............................@............ ...................................................f.d.......X,..`...*...........................................v..(... ..8...............h............................text....~.......................... ..`.rdata..............................@..@.data...h...........................@....pdata..............................@..@.00cfg..............................@..@.tls................................@....text0...4+......................... ..`.text1..8...........................@....text2..\... .....................`..h.rsrc...X,.........................@..@........................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\ooon0i8sg2EZy1pci_ppgkth.exe
File Type:	RIFF (little-endian) data, Web/P image
Category:	dropped
Size (bytes):	29306
Entropy (8bit):	7.92147583488826
Encrypted:	false
SSDEEP:	768:xcjd3JISqF22OkACKSchdtm38rpsnNbd/bc7hS8mbE33wC06bA:mjISqF22Od6AtM8rpsNbd/WmSweM
MD5:	F47A2FC416A8E5B5A89DF402C45F1C35
SHA1:	7E57689F339B017C964A7CCFC44F823F664452FA
SHA-256:	718B06ABAD15580EF39B01D703E7A8CF7EF00379FCABD16F77803BA14F0628DF
SHA-512:	28965BB9E775CF74E879829F49EE48EBBAF3CBEF683B2A2AE25B23FB680DE3A94FCAB1CAB1AFC9D4962EA7F5F09D967A11B9AA0DD901DC4CFC2DF3EF04E067DA
Malicious:	false
Preview:	RIFFrr..WEBPVP8X.... .........ICCP.............0..mntrRGB XYZ ............acsp.......................................-....................................................desc.......$rXYZ........gXYZ...(....bXYZ...<....wtpt...P....rTRC...d...(gTRC...d...(bTRC...d...(cprt.......<mluc............enUS.........s.R.G.BXYZ ......o...8.....XYZ ......b.........XYZ ......$.........XYZ ...............-para..........ff......Y.......[........mluc............enUS... .....G.o.o.g.l.e. .I.n.c... .2.0.1.6VP8L.p../.....u!...........{.?..9g$..'..N...-n..Ul...qYX...8--..Qji.$.g&3g......=...m[..6..>..Q.........9..N.............o.......,.,.T..}..@.......~.....qRQ.e.m.m.o...V..e..RI.K...>....$I.t.8..==\|._}......EZ$ .......@i..!..)....@.l...ZF......a.$H.......P`[.d...aK.......Jg.l......`.:KA.0FF.....!..8U.;0.A...lK..:K.LE.,........K.d..J..KJ;,.... ..S.... ....H....H......R&. .X.Q.$.Cr")........K..... .p....L...%..rd.Rd[..)....R...pZ...%.\.)!......@)...................0.......r.#.FB)..

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	102408
Entropy (8bit):	4.026449548832267
Encrypted:	false
SSDEEP:	768:G1AEqkeGavyF9jk0kbxmxwuONWLgCVj0BRoP8n9R1v8lSRVTmMypJ36hU5heiKC4:fBkCvRxmxwuWkheiKCGKnXWF6XK+WL7T
MD5:	FEAEEDC73F06032699F1CA6D14A406F3
SHA1:	C937531208F366C4E698CEC41321F8953831EE6D
SHA-256:	7909C94DA2C2BD77C68B47D84FE65ED5251D72D9043D33D5CA697D277F26A3ED
SHA-512:	6C1A91D40266D2BBADD81FDE6A76B22683F1EE195ECD5D4F9CF689253C807D0AFE09B957AC5B11E6220D86E79103E283ABCD020B6B742A9D7FEF64FAA3307E16
Malicious:	false
Preview:	....h... ...............P...............X...@...]...h...................V.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user..B............................................e.n.g.i.n.e.e.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user..B.........................................

Process:	C:\Users\user\Desktop\qk9TaBBxh8.exe
File Type:	data
Category:	dropped
Size (bytes):	5077012
Entropy (8bit):	6.713227789841581
Encrypted:	false
SSDEEP:	49152:pVJXO9PUAjyyUWbeBV3XEWkMgv3KT0RJ3P23QM+IL6:pVJUPZjjUWbg3UYgv6SpP2gMC
MD5:	1047B1F6A74DA3574E0995A5A122489A
SHA1:	3E0A1BECFD48F15CE486E85B1D2F29D079388B43
SHA-256:	F8D58AFC94CE91D30BEC6308306132E23A888D0B6D95DB461E4D5F9F7DFBEB51
SHA-512:	55B8CF3817E86EB0665CFCB2C94F4A59CF1026DBA202D5644D2DE2E2685A8DEDE8CE51B07C822F3B76126B98FEFC4F0B2DEA4C0B548511DE2EFDB9CB008E7B36
Malicious:	false
Preview:	..fUXO......................................................................4..Y.4A}\|f5egzrgtx5vt{{za5wp5g`{5\|{5QZF5xzqp;...1.........gf...5...5...5..4...5...4a..5...4...5o7.5...5o7.4..5o7.4...5o7.4...5...4...5...5K..5^4.4..5^4.5...5...5...5^4.4...5G\|v}...5................EP..Y......s...............2...../......../.......................................I.....P.[.......................................1..........J....................I..............................E1.....................................................55555555.........y..................5..u55555555k............e..................55555555............g..................;gfgv....J.......u......................55555555......6..G.....................W;\|qtat........1......!U.................;ayf.........E1......#U.................;a}px\|qt..-..u1...-..-U.............u...;gpyzv........I......mX.....................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\is-7JMLT.tmp\is-P287H.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	392048
Entropy (8bit):	6.542831007177094
Encrypted:	false
SSDEEP:	6144:1eIwnft+S34NVSTjMFR+oVbKQfbno1/1oz6i2EDSD4I+XdtQXGMiFcoOjAWcIhbl:1eIwnft+S34NVSTQD+oVbKQfrC/1ct25
MD5:	EE856A00410ECED8CC609936D01F954E
SHA1:	705D378626AEC86FECFDF04C86244006BC3AF431
SHA-256:	B6192300D3C1476EF3C25A368D055AA401035E78F9F6DBE5F93C84D36EF1FA62
SHA-512:	666D731247DAEAE4B57925DFA8CAE845327FD34E0F6B9AAD1BCF471D1800D7E8AF5642A5FB6E0EC58BA3AC7DD98A6D3FE0B473F34C16FFB9985621C98C0463EF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.v[N.%[N.%[N.%4.$QN.%4.$.N.%4.$IN.%4.$YN.%..$HN.%..$GN.%..$KN.%..$XN.%[N.%.O.%..$iN.%..$ZN.%.e%ZN.%..$ZN.%Rich[N.%........PE..L...D.r^...........!.....8..........^7.......P......................................'.....@..........................6..<)..L_..<.......X...............p3.......3..@,..............................`,..@............P...............................text....7.......8.................. ..`.rdata..l....P.......<..............@..@.data....?...p...6...X..............@....rsrc...X...........................@..@.reloc...3.......4..................@..B................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\45NBK9axc23mjqmbKvmG0NYP.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	307200
Entropy (8bit):	6.022775961297155
Encrypted:	false
SSDEEP:	3072:g/YYB7p8xLMjbC3rS7z9VDJklpDdoz3JwbmVY9AIxh5LelcJ/uXCFQUPmLMqlls5:g/9CO7B3Ypp8ee2A2eWkTflmW
MD5:	47C19E04E2043BD761373577E4828AED
SHA1:	E8CA26022EF413CA072AFC267E7606095734F08F
SHA-256:	9252AA86C04C06C3EDE85ED875F0C50324587BB00355530FA7141912CB34FCA6
SHA-512:	54151BCA97F70B4277F56B3A5EE44EAD17D288E14E32C5D4FC42C432FE5CA887A13664C42FE80D19A17DDDDDD4FEF0F428A6930F88C478F6249D059BBD4E231B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........J>L.$mL.$mL.$mE..m..$m.. lF.$m..'lH.$m..!lo.$mL.%mG.$m..%lO.$m..,lS.$m...mM.$m...mM.$m..&lM.$mRichL.$m........................PE..d...2.UA.........."......0...p.................@....................................K.....`.......... ......................................X... ....... ....P..H'..............T...P...T...................pT..(...0S..@............T.. ............................text....".......0.................. ..`.rdata.......@.......@..............@..@.data.... ...0... ...0..............@....pdata..H'...P...0...P..............@..@.didat..............................@....rsrc... ...........................@..@.reloc..T...........................@..B........................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\T9n2wvLQ1PO2GfTxLTyp21hE.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2899968
Entropy (8bit):	7.956832518326607
Encrypted:	false
SSDEEP:	49152:p8B2SJquyGzsEty3ITg2kUg8KcNK3quqM7Ncy1q2JvHqDY9F6qdGUGaJ0N43v:pyjqJGzJtrjkUgv9qoNcy5o89gqdVGaZ
MD5:	C54E03891895F680FA9E60C8B2A2DC8B
SHA1:	AD65AABF7FE85734BDD9E1C492DB8FB0D0D6073C
SHA-256:	DA21701AE98546F8B4487729AAF57D87C76E57381B9DBD6C7FC0C8C6624B221C
SHA-512:	607EDDC12A4DDEB98596DF9EF1D374987D727F87A7D77DAC8D2EAFB8E810532CD15AD2500078EDBF9EA6F49B414A55A09F4C0438764469AA9048DEB32E263B3F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................$...g.hV#g..#g..#g..L....g...<...g.. ...wf......ef..M:..wf..E....f..#g...f....\|..f....z..f..#g..Pg..L...kg...>..jg...<...g..8...=f.......g..E...Mg....\|..g..#g..6g...<...f..^....f..Rich#g..............................................PE..L.....#f...........!.....@...L...F..J........................................P,.....C2-..............................X......LV..P.....+.......................+....@d...............................................P..X............................text...Y*.......0.................. ..`.idata.......@.......@.............. ..`.rdata.......P.......P.................@.data........`.......`..............@....qdata..kd&.. ...p&.................@...510OCR..[.....).......).............@....CRT..........+......p+.............@..@.rsrc.........+.......+..............?.@.reloc........+.......+.............@..B....................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\Jsakr_KmqehdR6ptAH1OzwuM.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	578384
Entropy (8bit):	6.524580849411757
Encrypted:	false
SSDEEP:	12288:RBSNvy11qsslnxU/1ceqHiNHlOp/2M+UHHZpDLO+r2VhQEKZm+jWodEEVAdm:RBSDOFQEKZm+jWodEE2dm
MD5:	1BA6D1CF0508775096F9E121A24E5863
SHA1:	DF552810D779476610DA3C8B956CC921ED6C91AE
SHA-256:	74892D9B4028C05DEBAF0B9B5D9DC6D22F7956FA7D7EEE00C681318C26792823
SHA-512:	9887D9F5838AA1555EA87968E014EDFE2F7747F138F1B551D1F609BC1D5D8214A5FDAB0D76FCAC98864C1DA5EB81405CA373B2A30CB12203C011D89EA6D069AF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f..f..f.....d..o.A.p..f........c.....n.....b...........g....-.g.....g..Richf..........................PE..d................." ...$.F...V......`1....................................................`A........................................PB..h.......,................9......PO......8...p...p...........................0...@............`...............................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data....8...@......................@....pdata...9.......:...<..............@..@.rsrc................v..............@..@.reloc..8............z..............@..B................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\eQEIduvtZVhzsp4oDFOuc1gy.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\TUBbflj40zqtNIEKWH_MWjeG.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	663552
Entropy (8bit):	6.468795027177811
Encrypted:	false
SSDEEP:	12288:XeuHnWgyrgVu4rPy37WzH0A6uaF4JNK3NFRvYNajlxp:uuHcrgVxrPy37WzH0A6uwkNKkKlxp
MD5:	813B26B63B6054C7B58D09F32E61AB18
SHA1:	C2013DE9EE6719AE5E6B02C67703FFB8F7DC3BE7
SHA-256:	988CE8EF5CD91646AFECC82E5254A4410D87F13E7E51F7ABC8502C7380952E8C
SHA-512:	2BE996564026C654A2058B842AF2D1A3B681BA845E7C4B4CF02969FB2E21A7E54916F61B735C13A5D7647ABB6F8054C56DF2A1FD309EE40640D5647771851F5C
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................."%.......0...................................................@......................................................CODE....,........................... ..`DATA................................@...BSS.....T................................idata.."%.......&..................@....tls.........0...........................rdata.......@......................@..P.reloc.......P......................@..P.rsrc....0.......0..................@..P....................................@..P........................................................................................................................................

Entrypoint:	0x140977dcc
Entrypoint Section:	.vmp(R
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x660BFEF8 [Tue Apr 2 12:50:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	023aae353653db016d3a89da454d1d86

Signature Valid:	false
Signature Issuer:	CN=\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	13/04/2024 11:26:20 14/04/2034 11:26:20
Subject Chain	CN=\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z\u0153\xe1z\xb1\xe5z\xb1\xe5z\xb1\xe6z\xb1\xe5z\xb1\xe5z\xb1\xe5z
Version:	3
Thumbprint MD5:	77E3547D756C42A66CB4426739A242FF
Thumbprint SHA-1:	A3E3582D69361C09C56050EFDAB96F951FD96C2B
Thumbprint SHA-256:	7518998411E11FEBA2B334A8272475F043647D34BA731C223E012BD81917BDD0
Serial:	3A02069D084A9BAE4554635C0DB95A8D

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x992ab8	0xa0	.vmp(R
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb02000	0x50a79	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xaf0510	0xf330	.vmp(R
IMAGE_DIRECTORY_ENTRY_SECURITY	0x420400	0x1dc0	.themida
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb00000	0x1538	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x986450	0x28	.vmp(R
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x731000	0x98	.vmp(R
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18f9ce	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x191000	0x47046	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1d9000	0xb198	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1e5000	0xf198	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x1f5000	0x1f4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vmp(R	0x1f6000	0x50a69	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x247000	0x21d0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x24a000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x24b000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.themida	0x24c000	0x47e000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp(R	0x6ca000	0x66094	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp(R	0x731000	0x3d0	0x400	0d3898a8a02c3d23d471d010f3e92ad2	False	0.07421875	COM executable for DOS	0.3850178590743897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp(R	0x732000	0x3cd840	0x3cda00	9380cfcd5b324aeea8f4315691ff507d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0xb00000	0x1538	0x1600	3fe1f329a2b5fa6250cc2048518a6dd6	False	0.18927556818181818	GLS_BINARY_LSB_FIRST	5.4080546027320295	IMAGE_SCN_MEM_READ
.rsrc	0xb02000	0x50a79	0x50c00	cc43224ceff199851d4d948f048f8c0f	False	0.5924710961687306	data	6.316232236670494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TYPELIB	0xb02320	0xb8a0	data			0.2674128300609343
RT_ICON	0xb0dbc0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.7207446808510638
RT_ICON	0xb0e028	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.47759336099585065
RT_ICON	0xb105d0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.34464095587365434
RT_ICON	0xb20df8	0xf23b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9995000886939414
RT_ICON	0xb30038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.7207446808510638
RT_ICON	0xb304a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.47759336099585065
RT_ICON	0xb32a48	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.34464095587365434
RT_ICON	0xb43270	0xf23b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9995000886939414
RT_GROUP_ICON	0xb524b0	0x3e	data	English	United States	0.8387096774193549
RT_GROUP_ICON	0xb524f0	0x3e	data	English	United States	0.8870967741935484
RT_VERSION	0xb52530	0x3a4	data			0.45064377682403434
RT_MANIFEST	0xb528d8	0x1a1	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.5755395683453237

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qk9TaBBxh8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Threatname: SmokeLoader

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Change of critical system settings

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Change of critical system settings

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BFBGHDGCFHIDBGDGIIIE

C:\ProgramData\BFHIJEBKEBGHIDHJKJEG

Windows Analysis Report
qk9TaBBxh8.exe

DLL	Import
kernel32.dll	GetModuleHandleA
USER32.dll	GetCursorPos
ADVAPI32.dll	RegCloseKey
SHELL32.dll	SHGetFolderPathA
ole32.dll	CoCreateInstance
OLEAUT32.dll	VariantClear
kernel32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Target ID:	0
Start time:	05:47:52
Start date:	20/04/2024
Path:	C:\Users\user\Desktop\qk9TaBBxh8.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\qk9TaBBxh8.exe"
Imagebase:	0x7ff6538e0000
File size:	4'334'016 bytes
MD5 hash:	CB4118382E3F97F0DB04938A4E31E3E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	05:48:27
Start date:	20/04/2024
Path:	C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Documents\SimpleAdobe\zFe0EAtgy56yDxXht4nmozfb.exe
Imagebase:	0x9a0000
File size:	4'292'096 bytes
MD5 hash:	11A92C610057432013E972144EFC0EA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000003.2850327356.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000003.2852539306.00000000066F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	27
Start time:	05:48:30
Start date:	20/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x200000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	31
Start time:	05:48:32
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x650000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	39
Start time:	05:48:34
Start date:	20/04/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Imagebase:	0x7ff61a7e0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	61.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	97

Description:	Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
Tactics:	Reconnaissance
Data Sources:	Internet Scan: Response Content
Platforms:	PRE
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre