Windows Analysis Report
831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe

Overview

General Information

Sample name: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe
Analysis ID: 1434962
MD5: e159e87fbe0192614bd548893ae5f53d
SHA1: 03d42dc2df49907a9b97264aaa2bfcbdd5133093
SHA256: 831107010c8578ad95a12c5498b03755eac398b5bbc0d3211a4d112b11d30b34
Tags: exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected RisePro Stealer
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Found suspicious ZIP file
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Overwrites Mozilla Firefox settings
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a Chrome extension
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Steals Internet Explorer cookies
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe ReversingLabs: Detection: 29%
Multi AV Scanner detection for submitted file
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe ReversingLabs: Detection: 37%
Uses 32bit PE files
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.LICENSE.txt
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbRX_INSTALL source: calc.exe, 00000014.00000003.2476004905.0000000005279000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2476360362.00000000052A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: calc.pdbGCTL source: calc.exe, 00000014.00000002.2481938307.00000000029B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2471178167.0000000005562000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2471959781.0000000005562000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: krnlmp.pdb source: calc.exe, 00000014.00000003.2456735636.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2476004905.0000000005279000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2466522852.0000000005871000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2471959781.0000000005586000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2463974917.0000000002A70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2477032525.0000000004DCC000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2476679096.0000000004DBD000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2475602757.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbn source: calc.exe, 00000014.00000003.2469271187.000000000568C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\BrowserMetricsod.pdb,j source: calc.exe, 00000014.00000003.2471178167.0000000005562000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2471959781.0000000005562000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2allet\* source: calc.exe, 00000014.00000003.2472630506.00000000054D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2466522852.0000000005871000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2466838578.000000000581C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbs< source: calc.exe, 00000014.00000003.2474477222.000000000539D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2470260603.0000000005660000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2469593465.000000000565C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\A source: calc.exe, 00000014.00000003.2466838578.000000000581C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2471178167.0000000005562000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2471959781.0000000005562000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831jss7 source: calc.exe, 00000014.00000003.2466522852.0000000005871000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2470260603.0000000005660000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2469593465.000000000565C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2467630760.0000000005707000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2467630760.0000000005707000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbolstkrnlmp.pdbG92\ source: calc.exe, 00000014.00000003.2477032525.0000000004DCC000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2476679096.0000000004DBD000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2475602757.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2476004905.0000000005279000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2476360362.00000000052A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2475093113.0000000005348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC282F source: calc.exe, 00000014.00000003.2477935587.0000000004D83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: FCUn0tO.(*aOvKXXmW).pdBrrk16_q2.func2 source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1204873057.000000000165E000.00000002.00000001.01000000.00000003.sdmp, (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.000000000378C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: FCUn0tO.(*aOvKXXmW).pdBrrk16_q2.func1 source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1204873057.000000000165E000.00000002.00000001.01000000.00000003.sdmp, (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.000000000378C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2476004905.0000000005279000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2468389882.0000000005728000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2467630760.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2474477222.000000000539D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2477935587.0000000004D83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: upV01Z6rQz0.PdbcxM source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1204873057.000000000165E000.00000002.00000001.01000000.00000003.sdmp, (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.000000000378C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2468389882.0000000005728000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2467630760.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2466838578.000000000581C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2477935587.0000000004D83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831N source: calc.exe, 00000014.00000003.2468389882.0000000005728000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2467630760.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbp source: calc.exe, 00000014.00000003.2472934312.0000000005491000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2472934312.0000000005491000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbDa{jMZ\: source: calc.exe, 00000014.00000003.2471178167.0000000005562000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2471959781.0000000005562000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2469271187.000000000568C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2477312586.0000000004D8C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbatio source: calc.exe, 00000014.00000003.2466838578.000000000581C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: FCUn0tO.(*aOvKXXmW).pdBrrk16_q2.func2.1 source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1204873057.000000000165E000.00000002.00000001.01000000.00000003.sdmp, (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.000000000378C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2472630506.00000000054D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831js source: calc.exe, 00000014.00000003.2470260603.0000000005660000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2469593465.000000000565C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbRX_. source: calc.exe, 00000014.00000003.2469271187.000000000568C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tkrnlmp.pdb source: calc.exe, 00000014.00000003.2477032525.0000000004DCC000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2476679096.0000000004DBD000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2475602757.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2472934312.0000000005491000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lication Data\Temp\Symbols\winload_prod.pdb\i source: calc.exe, 00000014.00000003.2477475758.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: od.pdb source: calc.exe, 00000014.00000003.2471178167.0000000005562000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2471959781.0000000005562000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2475839620.0000000005300000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2475538738.00000000052E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SV3JLq7.pDBEHsNeknmMsfNhoCLxceynTuygFkOVjTxnZQDivmRHwDpuQAusMMPYXV source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000002.1493637355.0000000003C8E000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2u\*.*he\IE\*[DlD source: calc.exe, 00000014.00000003.2470951543.0000000005567000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbpd source: calc.exe, 00000014.00000003.2475839620.0000000005300000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2475538738.00000000052E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2! source: calc.exe, 00000014.00000003.2468389882.0000000005728000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2467630760.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2463974917.0000000002A70000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2478762574.0000000002A91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: FCUn0tO.(*aOvKXXmW).pdBrrk16_q2 source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1204873057.000000000165E000.00000002.00000001.01000000.00000003.sdmp, (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.000000000378C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbd8bbweZ source: calc.exe, 00000014.00000003.2463974917.0000000002A70000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2478762574.0000000002A91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2470951543.0000000005567000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2475093113.0000000005348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb3222*exe bT source: calc.exe, 00000014.00000003.2463974917.0000000002A70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ATCVA5TX\Windows[1].jsonkrnlmp.pdbon Data\Application Data\Application Data\ApplicatioU source: calc.exe, 00000014.00000003.2456735636.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb*.* source: calc.exe, 00000014.00000003.2477312586.0000000004D8C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: calc.pdb source: calc.exe, 00000014.00000002.2481938307.00000000029B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb*.*INSTALL\| source: calc.exe, 00000014.00000003.2475093113.0000000005348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb2563\ source: calc.exe, 00000014.00000003.2467630760.0000000005707000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb] source: calc.exe, 00000014.00000003.2467630760.0000000005707000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2469271187.000000000568C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831aa885f.tmpp source: calc.exe, 00000014.00000003.2477935587.0000000004D83000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.7:49713 -> 94.156.8.188:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 94.156.8.188:50500 -> 192.168.2.7:49713
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 94.156.8.188:50500 -> 192.168.2.7:49713
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49713 -> 94.156.8.188:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 94.156.8.188:50500 -> 192.168.2.7:49716
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 94.156.8.188:50500 -> 192.168.2.7:49717
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49716 -> 94.156.8.188:50500
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49717 -> 94.156.8.188:50500
Source: Traffic Snort IDS: 2049660 ET TROJAN RisePro CnC Activity (Outbound) 94.156.8.188:50500 -> 192.168.2.7:49717
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 94.156.8.188:50500 -> 192.168.2.7:49723
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\calc.exe Network Connect: 34.117.186.192 443
Source: C:\Windows\SysWOW64\calc.exe Network Connect: 104.26.5.15 443
Source: C:\Windows\SysWOW64\calc.exe Network Connect: 94.156.8.188 50500
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49713 -> 94.156.8.188:50500
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NET1-ASBG NET1-ASBG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files Jump to behavior
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic DNS traffic detected: DNS query: bastermedia.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: calc.exe, 00000014.00000002.2481938307.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: calc.exe String found in binary or memory: http://www.winimage.com/zLibDll
Source: calc.exe, 00000014.00000003.1631041526.0000000004D7E000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1612025387.0000000004D45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: calc.exe, 00000014.00000003.1631041526.0000000004D7E000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1612025387.0000000004D45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: calc.exe, 00000014.00000003.1631041526.0000000004D7E000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1612025387.0000000004D45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: calc.exe, 00000014.00000003.1631041526.0000000004D7E000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1612025387.0000000004D45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: calc.exe, 00000014.00000002.2481938307.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225
Source: calc.exe, 00000014.00000002.2481938307.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225P
Source: calc.exe, 00000014.00000003.1631041526.0000000004D7E000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1612025387.0000000004D45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: calc.exe, 00000014.00000003.1631041526.0000000004D7E000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1612025387.0000000004D45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: calc.exe, 00000014.00000003.1631041526.0000000004D7E000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1612025387.0000000004D45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: calc.exe String found in binary or memory: https://ipinfo.io/
Source: calc.exe, 00000014.00000002.2481938307.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000002.1493637355.0000000003402000.00000004.00001000.00020000.00000000.sdmp, calc.exe, 00000014.00000002.2483183645.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, calc.exe, 00000014.00000002.2481513543.0000000002800000.00000020.00000400.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: calc.exe, 00000014.00000002.2481938307.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225
Source: calc.exe, 00000014.00000002.2481938307.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1405172785.0000000006B86000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: calc.exe, 00000014.00000003.1671874085.0000000004D53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: calc.exe, 00000014.00000003.1671874085.0000000004D53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: calc.exe, 00000014.00000003.2479656683.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2462647121.0000000006079000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000002.2481938307.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2465335164.00000000059A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: calc.exe, 00000014.00000002.2481938307.00000000029B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT?
Source: calc.exe, 00000014.00000003.2479656683.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2465335164.00000000059A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTApplication
Source: calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2473156461.000000000545E000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2455560339.0000000005C86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: calc.exe, 00000014.00000002.2481938307.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot:d1
Source: calc.exe, 00000014.00000002.2481938307.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botBmM
Source: calc.exe, 00000014.00000002.2481938307.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botkM
Source: calc.exe, 00000014.00000003.2464796527.0000000005847000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://trusttoken.dev
Source: calc.exe, 00000014.00000003.1631041526.0000000004D7E000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1612025387.0000000004D45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: calc.exe, 00000014.00000003.1631041526.0000000004D7E000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1612025387.0000000004D45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: calc.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: calc.exe, 00000014.00000003.1671874085.0000000004D53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: calc.exe, 00000014.00000003.1671874085.0000000004D53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: calc.exe, 00000014.00000003.2476907655.0000000005A62000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000002.2481938307.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000002.2486271788.0000000005A62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: calc.exe, 00000014.00000003.1670112676.0000000004D53000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1615119744.0000000004D53000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1648412119.0000000004D53000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1665947672.0000000004D53000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1619436983.0000000004D53000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1659836680.0000000004D53000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1671874085.0000000004D53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: calc.exe, 00000014.00000003.1671874085.0000000004D53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: calc.exe, 00000014.00000003.2476907655.0000000005A62000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000002.2481938307.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000002.2486271788.0000000005A62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: calc.exe, 00000014.00000003.1670112676.0000000004D53000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1615119744.0000000004D53000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1648412119.0000000004D53000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1665947672.0000000004D53000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1619436983.0000000004D53000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1659836680.0000000004D53000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1671874085.0000000004D53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: calc.exe, 00000014.00000003.2476907655.0000000005A62000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000002.2486271788.0000000005A62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/h
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.7:49721 version: TLS 1.2

System Summary
barindex
Found suspicious ZIP file
Source: qejgAV31ox5GsAcJ2HC9KPd.zip.22.dr Zip Entry: Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\crypto.bundle.js
Source: qejgAV31ox5GsAcJ2HC9KPd.zip.22.dr Zip Entry: Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\crypto.bundle.js
Source: qejgAV31ox5GsAcJ2HC9KPd.zip.22.dr Zip Entry: Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\crypto.bundle.js
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\calc.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0283928D 20_2_0283928D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028022AD 20_2_028022AD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028542CD 20_2_028542CD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0280F2DD 20_2_0280F2DD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028DB2ED 20_2_028DB2ED
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028E123D 20_2_028E123D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288B24D 20_2_0288B24D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0280D3FD 20_2_0280D3FD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288A36D 20_2_0288A36D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028EA0CA 20_2_028EA0CA
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0283C01D 20_2_0283C01D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0289919D 20_2_0289919D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288111D 20_2_0288111D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0287211D 20_2_0287211D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0280515D 20_2_0280515D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288B6FD 20_2_0288B6FD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0284561D 20_2_0284561D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0284262D 20_2_0284262D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281164D 20_2_0281164D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028097AD 20_2_028097AD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288A7ED 20_2_0288A7ED
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281A70D 20_2_0281A70D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0284B75D 20_2_0284B75D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288448D 20_2_0288448D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288149D 20_2_0288149D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028404DD 20_2_028404DD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028184DD 20_2_028184DD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288B4ED 20_2_0288B4ED
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028EA40C 20_2_028EA40C
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288240D 20_2_0288240D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0283F5BD 20_2_0283F5BD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028D35DD 20_2_028D35DD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0280251D 20_2_0280251D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02801A0D 20_2_02801A0D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288AA5D 20_2_0288AA5D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02887B9D 20_2_02887B9D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02836B9D 20_2_02836B9D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02882B3D 20_2_02882B3D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02828B6D 20_2_02828B6D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028D280D 20_2_028D280D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0289280D 20_2_0289280D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0284880D 20_2_0284880D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281080D 20_2_0281080D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288E82D 20_2_0288E82D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0284286D 20_2_0284286D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028CD87D 20_2_028CD87D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288198D 20_2_0288198D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281699D 20_2_0281699D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028E49C5 20_2_028E49C5
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028E69FD 20_2_028E69FD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0280A9FD 20_2_0280A9FD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288992D 20_2_0288992D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0287FE8D 20_2_0287FE8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288DEED 20_2_0288DEED
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02834EED 20_2_02834EED
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0280AE2D 20_2_0280AE2D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02899E5D 20_2_02899E5D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028D4F8D 20_2_028D4F8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0288EF8D 20_2_0288EF8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02841F8D 20_2_02841F8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0280CF0D 20_2_0280CF0D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02884F3D 20_2_02884F3D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0280DCBD 20_2_0280DCBD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028FDCCE 20_2_028FDCCE
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0283ACFD 20_2_0283ACFD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02837C5D 20_2_02837C5D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0289DC6D 20_2_0289DC6D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028F7D81 20_2_028F7D81
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02853D0D 20_2_02853D0D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02892D1D 20_2_02892D1D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02824D2D 20_2_02824D2D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028D0D6D 20_2_028D0D6D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0284DD6D 20_2_0284DD6D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02820D7D 20_2_02820D7D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_04601400 20_2_04601400
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0467B4B0 20_2_0467B4B0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_045F9560 20_2_045F9560
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_046005C0 20_2_046005C0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_046385C0 20_2_046385C0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0467A5A0 20_2_0467A5A0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_04632620 20_2_04632620
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_046BB780 20_2_046BB780
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0462C060 20_2_0462C060
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_04629040 20_2_04629040
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_046CB0A0 20_2_046CB0A0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_045FF090 20_2_045FF090
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_04644080 20_2_04644080
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_045FD1B0 20_2_045FD1B0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0461E230 20_2_0461E230
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_045F22D0 20_2_045F22D0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0463E300 20_2_0463E300
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_046323E0 20_2_046323E0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_046213D0 20_2_046213D0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_045FCCC0 20_2_045FCCC0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0461ACC4 20_2_0461ACC4
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_04624CA0 20_2_04624CA0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0464ACB0 20_2_0464ACB0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0462BDD0 20_2_0462BDD0
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_046D9E7D 20_2_046D9E7D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_04615E40 20_2_04615E40
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0462CF20 20_2_0462CF20
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0467A810 20_2_0467A810
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268B24D 21_2_0268B24D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026E123D 21_2_026E123D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026DB2ED 21_2_026DB2ED
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026542CD 21_2_026542CD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0260F2DD 21_2_0260F2DD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026022AD 21_2_026022AD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0263928D 21_2_0263928D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268A36D 21_2_0268A36D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0260D3FD 21_2_0260D3FD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0263C01D 21_2_0263C01D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026EA0CA 21_2_026EA0CA
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0260515D 21_2_0260515D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268111D 21_2_0268111D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0267211D 21_2_0267211D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0269919D 21_2_0269919D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261164D 21_2_0261164D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0264262D 21_2_0264262D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0264561D 21_2_0264561D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268B6FD 21_2_0268B6FD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0264B75D 21_2_0264B75D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261A70D 21_2_0261A70D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268A7ED 21_2_0268A7ED
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026097AD 21_2_026097AD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026EA40C 21_2_026EA40C
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268240D 21_2_0268240D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268B4ED 21_2_0268B4ED
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026404DD 21_2_026404DD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026184DD 21_2_026184DD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268448D 21_2_0268448D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268149D 21_2_0268149D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0260251D 21_2_0260251D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026D35DD 21_2_026D35DD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0263F5BD 21_2_0263F5BD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268AA5D 21_2_0268AA5D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02601A0D 21_2_02601A0D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02628B6D 21_2_02628B6D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02682B3D 21_2_02682B3D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02687B9D 21_2_02687B9D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02636B9D 21_2_02636B9D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0264286D 21_2_0264286D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026CD87D 21_2_026CD87D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268E82D 21_2_0268E82D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026D280D 21_2_026D280D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0269280D 21_2_0269280D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0264880D 21_2_0264880D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261080D 21_2_0261080D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268992D 21_2_0268992D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026E69FD 21_2_026E69FD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0260A9FD 21_2_0260A9FD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026E49C5 21_2_026E49C5
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268198D 21_2_0268198D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261699D 21_2_0261699D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02699E5D 21_2_02699E5D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0260AE2D 21_2_0260AE2D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268DEED 21_2_0268DEED
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02634EED 21_2_02634EED
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0267FE8D 21_2_0267FE8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02684F3D 21_2_02684F3D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0260CF0D 21_2_0260CF0D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026D4F8D 21_2_026D4F8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0268EF8D 21_2_0268EF8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02641F8D 21_2_02641F8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0269DC6D 21_2_0269DC6D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02637C5D 21_2_02637C5D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0263ACFD 21_2_0263ACFD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026FDCCE 21_2_026FDCCE
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0260DCBD 21_2_0260DCBD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026D0D6D 21_2_026D0D6D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0264DD6D 21_2_0264DD6D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02620D7D 21_2_02620D7D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02624D2D 21_2_02624D2D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02653D0D 21_2_02653D0D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02692D1D 21_2_02692D1D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026F7D81 21_2_026F7D81
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044A1400 21_2_044A1400
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0451B4B0 21_2_0451B4B0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_04499560 21_2_04499560
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044A05C0 21_2_044A05C0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044D85C0 21_2_044D85C0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0451A5A0 21_2_0451A5A0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044D2620 21_2_044D2620
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0455B780 21_2_0455B780
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044C9040 21_2_044C9040
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044CC060 21_2_044CC060
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044E4080 21_2_044E4080
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0449F090 21_2_0449F090
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0456B0A0 21_2_0456B0A0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0449D1B0 21_2_0449D1B0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044BE230 21_2_044BE230
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044DE300 21_2_044DE300
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044C13D0 21_2_044C13D0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044D23E0 21_2_044D23E0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0449CCC0 21_2_0449CCC0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044BACC4 21_2_044BACC4
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044C4CA0 21_2_044C4CA0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EACB0 21_2_044EACB0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044CBDD0 21_2_044CBDD0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044B5E40 21_2_044B5E40
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_04579E7D 21_2_04579E7D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044CCF20 21_2_044CCF20
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0451A810 21_2_0451A810
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044ED8F0 21_2_044ED8F0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044C6950 21_2_044C6950
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044CD970 21_2_044CD970
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044B8920 21_2_044B8920
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044E8A50 21_2_044E8A50
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0449DA70 21_2_0449DA70
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044C7A10 21_2_044C7A10
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044E5A20 21_2_044E5A20
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044E3AC0 21_2_044E3AC0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044B4AE0 21_2_044B4AE0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044CAAB0 21_2_044CAAB0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044B0B30 21_2_044B0B30
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0451C430 21_2_0451C430
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044AA4C0 21_2_044AA4C0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044DB510 21_2_044DB510
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_045225C0 21_2_045225C0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_045625C0 21_2_045625C0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0451E5E0 21_2_0451E5E0
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0455D630 21_2_0455D630
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_045196E0 21_2_045196E0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\calc.exe Code function: String function: 028DE42D appears 54 times
Source: C:\Windows\SysWOW64\calc.exe Code function: String function: 026DE42D appears 54 times
Source: C:\Windows\SysWOW64\calc.exe Code function: String function: 044FA3E0 appears 31 times
One or more processes crash
Source: C:\Windows\SysWOW64\calc.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7820 -s 1920
PE / OLE file has an invalid certificate
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000002.1493637355.0000000003402000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMSBuild.exeR vs 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1208557580.0000000001C97000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFileGuard.exeL* vs 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000003.1408156756.0000000006B1A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFileGuard.exeL* vs 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe
Uses 32bit PE files
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1204873057.000000000142A000.00000002.00000001.01000000.00000003.sdmp, (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.0000000003547000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: *CNcqj5Pi.Vbp8nbMYxk
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@11/2102@3/3
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe File created: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Mutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd135
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5 Jump to behavior
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: calc.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000002.1493637355.0000000003402000.00000004.00001000.00020000.00000000.sdmp, calc.exe, 00000014.00000002.2483183645.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, calc.exe, 00000014.00000002.2481513543.0000000002800000.00000020.00000400.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: calc.exe, 00000014.00000003.1665452539.0000000004D27000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1629595312.0000000004D27000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1668247854.0000000004D27000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1658917128.0000000004D27000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1607162590.0000000004D2D000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1611846557.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1717077995.0000000004D27000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1649192912.0000000004D27000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2477475758.0000000004D27000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1660495441.0000000004D27000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.1648128030.0000000004D27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe ReversingLabs: Detection: 37%
Source: calc.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: calc.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe File read: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe "C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe"
Source: unknown Process created: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe "C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe"
Source: unknown Process created: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe "C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe"
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Process created: C:\Windows\SysWOW64\calc.exe C:\Windows\System32\calc.exe
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Process created: C:\Windows\SysWOW64\calc.exe C:\Windows\System32\calc.exe
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Process created: C:\Windows\SysWOW64\calc.exe C:\Windows\System32\calc.exe
Source: C:\Windows\SysWOW64\calc.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7820 -s 1920
Source: C:\Windows\SysWOW64\calc.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7668 -s 1996
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Process created: C:\Windows\SysWOW64\calc.exe C:\Windows\System32\calc.exe Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Process created: C:\Windows\SysWOW64\calc.exe C:\Windows\System32\calc.exe Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Process created: C:\Windows\SysWOW64\calc.exe C:\Windows\System32\calc.exe Jump to behavior
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: webio.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: webio.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: d2d1.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\calc.exe Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\calc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Static file information: File size 21015224 > 1048576
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x9bac00
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x19d800
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x813a00
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbRX_INSTALL source: calc.exe, 00000014.00000003.2476004905.0000000005279000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2476360362.00000000052A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: calc.pdbGCTL source: calc.exe, 00000014.00000002.2481938307.00000000029B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2471178167.0000000005562000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2471959781.0000000005562000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: krnlmp.pdb source: calc.exe, 00000014.00000003.2456735636.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2476004905.0000000005279000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2466522852.0000000005871000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2471959781.0000000005586000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2463974917.0000000002A70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2477032525.0000000004DCC000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2476679096.0000000004DBD000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2475602757.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbn source: calc.exe, 00000014.00000003.2469271187.000000000568C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\BrowserMetricsod.pdb,j source: calc.exe, 00000014.00000003.2471178167.0000000005562000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2471959781.0000000005562000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2allet\* source: calc.exe, 00000014.00000003.2472630506.00000000054D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2466522852.0000000005871000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2466838578.000000000581C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbs< source: calc.exe, 00000014.00000003.2474477222.000000000539D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2470260603.0000000005660000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2469593465.000000000565C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\A source: calc.exe, 00000014.00000003.2466838578.000000000581C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2471178167.0000000005562000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2471959781.0000000005562000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831jss7 source: calc.exe, 00000014.00000003.2466522852.0000000005871000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2470260603.0000000005660000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2469593465.000000000565C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2467630760.0000000005707000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2467630760.0000000005707000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbolstkrnlmp.pdbG92\ source: calc.exe, 00000014.00000003.2477032525.0000000004DCC000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2476679096.0000000004DBD000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2475602757.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2476004905.0000000005279000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2476360362.00000000052A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2475093113.0000000005348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC282F source: calc.exe, 00000014.00000003.2477935587.0000000004D83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: FCUn0tO.(*aOvKXXmW).pdBrrk16_q2.func2 source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1204873057.000000000165E000.00000002.00000001.01000000.00000003.sdmp, (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.000000000378C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: FCUn0tO.(*aOvKXXmW).pdBrrk16_q2.func1 source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1204873057.000000000165E000.00000002.00000001.01000000.00000003.sdmp, (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.000000000378C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2476004905.0000000005279000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2468389882.0000000005728000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2467630760.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2474477222.000000000539D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2477935587.0000000004D83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: upV01Z6rQz0.PdbcxM source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1204873057.000000000165E000.00000002.00000001.01000000.00000003.sdmp, (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.000000000378C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2468389882.0000000005728000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2467630760.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2466838578.000000000581C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2477935587.0000000004D83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831N source: calc.exe, 00000014.00000003.2468389882.0000000005728000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2467630760.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbp source: calc.exe, 00000014.00000003.2472934312.0000000005491000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2472934312.0000000005491000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbDa{jMZ\: source: calc.exe, 00000014.00000003.2471178167.0000000005562000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2471959781.0000000005562000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2469271187.000000000568C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2477312586.0000000004D8C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbatio source: calc.exe, 00000014.00000003.2466838578.000000000581C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: FCUn0tO.(*aOvKXXmW).pdBrrk16_q2.func2.1 source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1204873057.000000000165E000.00000002.00000001.01000000.00000003.sdmp, (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.000000000378C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2472630506.00000000054D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831js source: calc.exe, 00000014.00000003.2470260603.0000000005660000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2469593465.000000000565C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbRX_. source: calc.exe, 00000014.00000003.2469271187.000000000568C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tkrnlmp.pdb source: calc.exe, 00000014.00000003.2477032525.0000000004DCC000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2476679096.0000000004DBD000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2475602757.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2472934312.0000000005491000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lication Data\Temp\Symbols\winload_prod.pdb\i source: calc.exe, 00000014.00000003.2477475758.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: od.pdb source: calc.exe, 00000014.00000003.2471178167.0000000005562000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2471959781.0000000005562000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: calc.exe, 00000014.00000003.2475839620.0000000005300000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2475538738.00000000052E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SV3JLq7.pDBEHsNeknmMsfNhoCLxceynTuygFkOVjTxnZQDivmRHwDpuQAusMMPYXV source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000002.1493637355.0000000003C8E000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2u\*.*he\IE\*[DlD source: calc.exe, 00000014.00000003.2470951543.0000000005567000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbpd source: calc.exe, 00000014.00000003.2475839620.0000000005300000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2475538738.00000000052E4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2! source: calc.exe, 00000014.00000003.2468389882.0000000005728000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2467630760.0000000005728000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2463974917.0000000002A70000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2478762574.0000000002A91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: FCUn0tO.(*aOvKXXmW).pdBrrk16_q2 source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1204873057.000000000165E000.00000002.00000001.01000000.00000003.sdmp, (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.000000000378C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdbd8bbweZ source: calc.exe, 00000014.00000003.2463974917.0000000002A70000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2478762574.0000000002A91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: calc.exe, 00000014.00000003.2470951543.0000000005567000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: calc.exe, 00000014.00000003.2475093113.0000000005348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb3222*exe bT source: calc.exe, 00000014.00000003.2463974917.0000000002A70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ATCVA5TX\Windows[1].jsonkrnlmp.pdbon Data\Application Data\Application Data\ApplicatioU source: calc.exe, 00000014.00000003.2456735636.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb*.* source: calc.exe, 00000014.00000003.2477312586.0000000004D8C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: calc.pdb source: calc.exe, 00000014.00000002.2481938307.00000000029B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb*.*INSTALL\| source: calc.exe, 00000014.00000003.2475093113.0000000005348000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb2563\ source: calc.exe, 00000014.00000003.2467630760.0000000005707000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb] source: calc.exe, 00000014.00000003.2467630760.0000000005707000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: calc.exe, 00000014.00000003.2469271187.000000000568C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831aa885f.tmpp source: calc.exe, 00000014.00000003.2477935587.0000000004D83000.00000004.00000020.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Code function: 0_2_01C42341 pushad ; ret 0_2_01C42B32
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Code function: 0_2_01C42DD8 pushfd ; retf 0_2_01C42EE1
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Code function: 0_2_01C3E97B pushad ; ret 0_2_01C3E981
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Code function: 0_2_01C42EB1 pushfd ; retf 0_2_01C42EE1
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Code function: 0_2_01C42B33 pushad ; ret 0_2_01C42B9A
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Code function: 12_2_0202ED20 pushad ; iretd 12_2_0202ED21
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Code function: 12_2_0202EF50 pushad ; iretd 12_2_0202EF51
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Code function: 17_2_0202F10A pushad ; ret 17_2_0202F10D
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Code function: 17_2_02032B33 pushad ; ret 17_2_02032B9A
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Code function: 17_2_0203093B push es; iretd 17_2_02030A9A
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Code function: 17_2_02032341 pushad ; ret 17_2_02032B32
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Code function: 17_2_0202E05F push 204002C9h; retn 0002h 17_2_0202E076
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028DDFF4 push ecx; ret 20_2_028DE007
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026DDFF4 push ecx; ret 21_2_026DE007
Drops PE files
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe File created: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Jump to dropped file
Installs a Chrome extension
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\Temp Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\el
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ja
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lv
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\el
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ja
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lv
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File created: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.LICENSE.txt

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Jump to behavior
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Jump to behavior
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Jump to behavior
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

Malware Analysis System Evasion
barindex
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Source: Global behavior Junk call stats: NtWriteFile 7895115
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\calc.exe Window / User API: threadDelayed 514
Source: C:\Windows\SysWOW64\calc.exe Window / User API: threadDelayed 1539
Source: C:\Windows\SysWOW64\calc.exe Window / User API: threadDelayed 7053
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\calc.exe TID: 7676 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe TID: 7848 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\calc.exe TID: 1928 Thread sleep time: -1542000s >= -30000s
Source: C:\Windows\SysWOW64\calc.exe TID: 7848 Thread sleep time: -143000s >= -30000s
Source: C:\Windows\SysWOW64\calc.exe TID: 1928 Thread sleep time: -4617000s >= -30000s
Source: C:\Windows\SysWOW64\calc.exe TID: 7848 Thread sleep time: -7053000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\calc.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\calc.exe Thread delayed: delay time: 30000
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.LICENSE.txt
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eVMware20,11696492231
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ccount.microsoft.com/profileVMware20,11696492231u
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: o.inVMware20,11696492231~
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696492231
Source: calc.exe, 00000014.00000003.1705716499.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pageformVMware20,11696492231
Source: calc.exe, 00000014.00000002.2481938307.0000000002A04000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000014.00000003.2463974917.0000000002A04000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000000.1204873057.0000000001760000.00000002.00000001.01000000.00000003.sdmp, (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.000000000388F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UNGHgfSkd.go
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: formVMware20,11696492231
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492p
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT name, value FROM autofillmain'.sqlite_masterr global passwords blocklistVMware20,11696492231
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696492231
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000011.00000002.1631317702.000000000253C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r global passwords blocklistVMware20,11696492231
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rootpagecomVMware20,11696492231o
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: comVMware20,11696492231o
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169649223h
Source: calc.exe, 00000014.00000003.2456298294.0000000005A79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc. VMware20,1
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20,11696492231
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696492231
Source: (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1631904625.000000000388F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: oJGsYJXlVMcI.go
Source: 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 00000000.00000002.1490888377.000000000226C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe, 0000000C.00000002.1625175938.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
Source: calc.exe, 00000014.00000003.1652756936.0000000004D64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Windows\SysWOW64\calc.exe Process information queried: ProcessInformation
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\calc.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\calc.exe Process queried: DebugPort
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028200CD mov eax, dword ptr fs:[00000030h] 20_2_028200CD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281C59D mov eax, dword ptr fs:[00000030h] 20_2_0281C59D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D mov eax, dword ptr fs:[00000030h] 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D mov eax, dword ptr fs:[00000030h] 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D mov eax, dword ptr fs:[00000030h] 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D mov eax, dword ptr fs:[00000030h] 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D mov eax, dword ptr fs:[00000030h] 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D mov eax, dword ptr fs:[00000030h] 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D mov eax, dword ptr fs:[00000030h] 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D mov eax, dword ptr fs:[00000030h] 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D mov eax, dword ptr fs:[00000030h] 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D mov eax, dword ptr fs:[00000030h] 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D mov eax, dword ptr fs:[00000030h] 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281554D mov eax, dword ptr fs:[00000030h] 20_2_0281554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0281656D mov ecx, dword ptr fs:[00000030h] 20_2_0281656D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285FB8D mov eax, dword ptr fs:[00000030h] 20_2_0285FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285F9CD mov eax, dword ptr fs:[00000030h] 20_2_0285F9CD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0285F9CD mov eax, dword ptr fs:[00000030h] 20_2_0285F9CD
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02814F2D mov eax, dword ptr fs:[00000030h] 20_2_02814F2D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_02814D8D mov eax, dword ptr fs:[00000030h] 20_2_02814D8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_046506F3 mov eax, dword ptr fs:[00000030h] 20_2_046506F3
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_046506F3 mov eax, dword ptr fs:[00000030h] 20_2_046506F3
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_046506F3 mov eax, dword ptr fs:[00000030h] 20_2_046506F3
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0464F780 mov eax, dword ptr fs:[00000030h] 20_2_0464F780
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0464F780 mov eax, dword ptr fs:[00000030h] 20_2_0464F780
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_04650252 mov eax, dword ptr fs:[00000030h] 20_2_04650252
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_04650252 mov eax, dword ptr fs:[00000030h] 20_2_04650252
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0460C350 mov eax, dword ptr fs:[00000030h] 20_2_0460C350
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_0462CF20 mov eax, dword ptr fs:[00000030h] 20_2_0462CF20
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_026200CD mov eax, dword ptr fs:[00000030h] 21_2_026200CD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261656D mov ecx, dword ptr fs:[00000030h] 21_2_0261656D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D mov eax, dword ptr fs:[00000030h] 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D mov eax, dword ptr fs:[00000030h] 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D mov eax, dword ptr fs:[00000030h] 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D mov eax, dword ptr fs:[00000030h] 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D mov eax, dword ptr fs:[00000030h] 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D mov eax, dword ptr fs:[00000030h] 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D mov eax, dword ptr fs:[00000030h] 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D mov eax, dword ptr fs:[00000030h] 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D mov eax, dword ptr fs:[00000030h] 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D mov eax, dword ptr fs:[00000030h] 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D mov eax, dword ptr fs:[00000030h] 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261554D mov eax, dword ptr fs:[00000030h] 21_2_0261554D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0261C59D mov eax, dword ptr fs:[00000030h] 21_2_0261C59D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265FB8D mov eax, dword ptr fs:[00000030h] 21_2_0265FB8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265F9CD mov eax, dword ptr fs:[00000030h] 21_2_0265F9CD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_0265F9CD mov eax, dword ptr fs:[00000030h] 21_2_0265F9CD
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02614F2D mov eax, dword ptr fs:[00000030h] 21_2_02614F2D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_02614D8D mov eax, dword ptr fs:[00000030h] 21_2_02614D8D
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044F06F3 mov eax, dword ptr fs:[00000030h] 21_2_044F06F3
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044F06F3 mov eax, dword ptr fs:[00000030h] 21_2_044F06F3
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044F06F3 mov eax, dword ptr fs:[00000030h] 21_2_044F06F3
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF780 mov eax, dword ptr fs:[00000030h] 21_2_044EF780
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF780 mov eax, dword ptr fs:[00000030h] 21_2_044EF780
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044F0252 mov eax, dword ptr fs:[00000030h] 21_2_044F0252
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044F0252 mov eax, dword ptr fs:[00000030h] 21_2_044F0252
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044AC350 mov eax, dword ptr fs:[00000030h] 21_2_044AC350
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044CCF20 mov eax, dword ptr fs:[00000030h] 21_2_044CCF20
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940
Source: C:\Windows\SysWOW64\calc.exe Code function: 21_2_044EF940 mov eax, dword ptr fs:[00000030h] 21_2_044EF940

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\calc.exe Network Connect: 34.117.186.192 443
Source: C:\Windows\SysWOW64\calc.exe Network Connect: 104.26.5.15 443
Source: C:\Windows\SysWOW64\calc.exe Network Connect: 94.156.8.188 50500
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Memory allocated: C:\Windows\SysWOW64\calc.exe base: 2800000 protect: page read and write Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Memory allocated: C:\Windows\SysWOW64\calc.exe base: 2600000 protect: page read and write Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Memory allocated: C:\Windows\SysWOW64\calc.exe base: 2E00000 protect: page read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Thread created: C:\Windows\SysWOW64\calc.exe EIP: 2800000 Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Thread created: C:\Windows\SysWOW64\calc.exe EIP: 2600000 Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Thread created: C:\Windows\SysWOW64\calc.exe EIP: 2E00000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Memory written: C:\Windows\SysWOW64\calc.exe base: 2800000 Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Memory written: C:\Windows\SysWOW64\calc.exe base: 2600000 Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Memory written: C:\Windows\SysWOW64\calc.exe base: 2E00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Process created: C:\Windows\SysWOW64\calc.exe C:\Windows\System32\calc.exe Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Process created: C:\Windows\SysWOW64\calc.exe C:\Windows\System32\calc.exe Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Process created: C:\Windows\SysWOW64\calc.exe C:\Windows\System32\calc.exe Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\calc.exe Code function: 20_2_028150AD cpuid 20_2_028150AD
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\SysWOW64\calc.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\SysWOW64\calc.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\SysWOW64\calc.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\SysWOW64\calc.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Queries volume information: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Queries volume information: C:\Users\user\Desktop\831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Queries volume information: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Queries volume information: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Queries volume information: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe Queries volume information: C:\Users\Public\Libraries\(e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\calc.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\calc.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\calc.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\calc.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\calc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Overwrites Mozilla Firefox settings
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\adobepbqnrM0s9U5u\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\AlternateServices.txt Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\adobepbqnrM0s9U5u\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\pkcs11.txt Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\adobeHpbNlo3JVv_6\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\previous.jsonlz4 Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\adobeHpbNlo3JVv_6\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\AlternateServices.txt Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\adobeHpbNlo3JVv_6\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\pkcs11.txt Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Temp\adobeHpbNlo3JVv_6\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\SiteSecurityServiceState.txt Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\previous.jsonlz4
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\AlternateServices.txt
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\pkcs11.txt
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\SiteSecurityServiceState.txt
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\previous.jsonlz4
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\AlternateServices.txt
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\pkcs11.txt
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\SiteSecurityServiceState.txt
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\previous.jsonlz4
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\AlternateServices.txt
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\pkcs11.txt
Source: C:\Windows\SysWOW64\calc.exe File written: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\SiteSecurityServiceState.txt

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 22.2.calc.exe.2e00e4d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe.3402e4d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.calc.exe.2800e4d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.calc.exe.2600e4d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.2256746571.0000000004AAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.2241160863.0000000004AA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.2240714768.0000000004AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2479656683.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2481513543.0000000002800000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1493637355.0000000003402000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2483183645.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2465335164.00000000059A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2255355902.0000000004491000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3673915674.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2462647121.0000000006079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2464978798.0000000005978000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2249234864.0000000002600000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2083714525.0000000005451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2483399602.00000000045F1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.2235964264.0000000004BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3676968824.0000000004D31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3661201273.0000000002E00000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2252124694.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2486123680.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2464707101.0000000005955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3676539138.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: calc.exe PID: 7668, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\qejgAV31ox5GsAcJ2HC9KPd.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\31PgCcUBGPwV6NnfvXczXQ1.zip, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\databases
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LocalPrefs.json
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\logins.json
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\DawnCache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001 Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\signons.sqlite
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Cache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001 Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\signons.sqlite
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\formhistory.sqlite
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001 Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Crashpad\settings.dat\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Cache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\DawnCache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG.old\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\places.sqlite
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\databases
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG\desktop.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user~1\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG\desktop.ini
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\SysWOW64\calc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\SysWOW64\calc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\SysWOW64\calc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Steals Internet Explorer cookies
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\adobeHpbNlo3JVv_6\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\adobeoXPwUyynlHg5\Cookies\Chrome_Default.txt Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\adobepbqnrM0s9U5u\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeoXPwUyynlHg5\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobeoXPwUyynlHg5\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobeoXPwUyynlHg5\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobeoXPwUyynlHg5\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Cookies\Chrome_Default.txt Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Cookies\Chrome_Default.txt Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobeoXPwUyynlHg5\Cookies\Chrome_Default.txt Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\adobeoXPwUyynlHg5\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\adobepbqnrM0s9U5u\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\adobeoXPwUyynlHg5\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\adobeHpbNlo3JVv_6\Cookies\Chrome_Default.txt Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\adobeoXPwUyynlHg5\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Files\AppData\Local\Temp\adobeHpbNlo3JVv_6\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobeoXPwUyynlHg5\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobepbqnrM0s9U5u\Files\AppData\Local\Temp\adobeoXPwUyynlHg5\Cookies\Chrome_Default.txt
Source: C:\Windows\SysWOW64\calc.exe File read: C:\Users\user\AppData\Local\Temp\adobeoXPwUyynlHg5\Files\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\adobepbqnrM0s9U5u\Cookies\Chrome_Default.txt Jump to behavior

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 22.2.calc.exe.2e00e4d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe.3402e4d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.calc.exe.2800e4d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.calc.exe.2600e4d.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.2256746571.0000000004AAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.2241160863.0000000004AA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.2240714768.0000000004AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2479656683.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2481513543.0000000002800000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1493637355.0000000003402000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2483183645.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2465335164.00000000059A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2255355902.0000000004491000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3673915674.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2462647121.0000000006079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2464978798.0000000005978000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2249234864.0000000002600000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.2083714525.0000000005451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2483399602.00000000045F1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.2235964264.0000000004BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3676968824.0000000004D31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3661201273.0000000002E00000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2252124694.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2486123680.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2464707101.0000000005955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3676539138.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: calc.exe PID: 7668, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\qejgAV31ox5GsAcJ2HC9KPd.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\31PgCcUBGPwV6NnfvXczXQ1.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1434962 Sample: 831107010C8578AD95A12C5498B... Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 49 bastermedia.com 2->49 51 ipinfo.io 2->51 53 db-ip.com 2->53 69 Snort IDS alert for network traffic 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 5 other signatures 2->75 8 (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe 2->8         started        11 831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe 1 1 2->11         started        14 (e159e87fbe0192614bd548893ae5f53d)831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe 2->14         started        signatures3 process4 file5 77 Antivirus detection for dropped file 8->77 79 Multi AV Scanner detection for dropped file 8->79 81 Writes to foreign memory regions 8->81 16 calc.exe 8->16         started        47 (e159e87fbe0192614...55EAC398B5BBC0D.exe, PE32 11->47 dropped 83 Creates autostart registry keys with suspicious names 11->83 85 Allocates memory in foreign processes 11->85 87 Creates a thread in another existing process (thread injection) 11->87 20 calc.exe 1002 11->20         started        23 calc.exe 14->23         started        signatures6 process7 dnsIp8 41 15 other malicious files 16->41 dropped 61 Tries to steal Mail credentials (via file / registry access) 16->61 63 Overwrites Mozilla Firefox settings 16->63 65 Tries to harvest and steal browser information (history, passwords, etc) 16->65 25 WerFault.exe 16->25         started        55 bastermedia.com 94.156.8.188, 49713, 49716, 49717 NET1-ASBG Bulgaria 20->55 57 ipinfo.io 34.117.186.192, 443, 49714, 49718 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->57 59 db-ip.com 104.26.5.15, 443, 49715, 49720 CLOUDFLARENETUS United States 20->59 29 C:\Users\user\AppData\...\previous.jsonlz4, Mozilla 20->29 dropped 31 C:\Users\user\AppData\Local\...\pkcs11.txt, ASCII 20->31 dropped 33 C:\Users\...\SiteSecurityServiceState.txt, CSV 20->33 dropped 43 7 other malicious files 20->43 dropped 27 WerFault.exe 20->27         started        35 C:\Users\user\...\qejgAV31ox5GsAcJ2HC9KPd.zip, Zip 23->35 dropped 37 C:\Users\...\upgrade.jsonlz4-20230927232528, Mozilla 23->37 dropped 39 C:\Users\user\AppData\...\previous.jsonlz4, Mozilla 23->39 dropped 45 5 other malicious files 23->45 dropped 67 System process connects to network (likely due to code injection or exploit) 23->67 file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
94.156.8.188
 bastermedia.com Bulgaria
43561 NET1-ASBG true

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.5.15 true
bastermedia.com 94.156.8.188 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://db-ip.com/demo/home.php?s=191.96.150.225 false
    		high
    https://ipinfo.io/widget/demo/191.96.150.225 false
      		high