Windows Analysis Report
FFbd.dll

Malicious sample detected (through community Yara rule)

Source: Joe Sandbox View

ASN Name: RANATECHNET-AFRANATechnologiesKabulAF RANATECHNET-AFRANATechnologiesKabulAF

Source: C:\Users\user\AppData\Local\Temp\rkn.exe

Code function: 6_2_02FC1050 InternetOpenW,InternetOpenUrlW,GetTempPathW,PathCombineW,CreateFileW,InternetReadFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

6_2_02FC1050

Source: rundll32.exe, 00000003.00000002.2396183226.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2396183226.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861211680.0000000002AEB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1908626749.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1908626749.000000000295B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/
Source: rkn.exe, rkn.exe, 0000000A.00000002.1906582152.00000000017A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/apt66ext.log
Source: rkn.exe, 00000007.00000002.1859848122.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/apt66ext.logQ
Source: rkn.exe, 00000006.00000002.2395036782.000000000155F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/apt66ext.logt6
Source: rkn.exe, 00000007.00000002.1859848122.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/apt66ext.logy
Source: rundll32.exe, 00000005.00000002.1908626749.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1908626749.000000000295B000.00000004.00000020.00020000.00000000.sdmp, FFbd.dll	String found in binary or memory: http://121.127.33.39/rkn.log
Source: rundll32.exe, 00000005.00000002.1908626749.000000000295B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/rkn.log)
Source: rundll32.exe, 00000005.00000002.1908626749.000000000295B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/rkn.log-
Source: rundll32.exe, 00000003.00000002.2396183226.00000000030AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/rkn.log0
Source: rundll32.exe, 00000004.00000002.1861211680.0000000002AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/rkn.log5g
Source: rundll32.exe, 00000005.00000002.1908626749.000000000291A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/rkn.logQ
Source: rundll32.exe, 00000004.00000002.1861211680.0000000002AEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/rkn.logSystem32
Source: rundll32.exe, 00000004.00000002.1861211680.0000000002AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/rkn.loga
Source: rundll32.exe, 00000003.00000002.2396183226.000000000309A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/rkn.logg
Source: rundll32.exe, 00000004.00000002.1861211680.0000000002AEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/rkn.logl
Source: rundll32.exe, 00000003.00000002.2396183226.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/rkn.logll
Source: rundll32.exe, 00000005.00000002.1908626749.000000000291A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/rkn.logo
Source: rkn.exe, 0000000A.00000002.1906582152.00000000017A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/unity.pdf
Source: rkn.exe, 00000006.00000002.2395036782.000000000155F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/unity.pdfR
Source: rkn.exe, 00000006.00000002.2395343407.0000000002FC3000.00000002.10000000.00040000.00000000.sdmp, rkn.exe, 00000006.00000002.2395272404.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 00000007.00000002.1859609747.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 00000007.00000002.1859676876.00000000009D3000.00000002.10000000.00040000.00000000.sdmp, rkn.exe, 0000000A.00000002.1906412300.0000000001690000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 0000000A.00000002.1906499521.00000000016A3000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/unity.pdfapt66ext.exehttp://121.127.33.39/apt66ext.logapt66.exemsupdate.exeC
Source: rkn.exe, 00000006.00000002.2395036782.000000000155F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.39/unity.pdfu
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: http://arxiv.org/abs/1805.10941.
Source: staged_out.exe, 00000016.00000002.2274006172.00000295FD770000.00000004.00001000.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)uctypes.util.find_library()
Source: _decimal.pyd.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: _decimal.pyd.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://caffe.berkeleyvision.org
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://caffe.berkeleyvision.org/)
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://campar.in.tum.de/Chair/HandEyeCalibration).
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.476.5736&rep=rep1&type=pdf
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.131.6394
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: _decimal.pyd.20.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: _decimal.pyd.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: _decimal.pyd.20.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: _decimal.pyd.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: _decimal.pyd.20.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://digitalassets.lib.berkeley.edu/sdtr/ucb/text/34.pdf
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dx.doi.org/10.1016/j.cviu.2010.01.011
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://foo/bar.tar.gz
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://foo/bar.tgz
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://graphics.berkeley.edu/papers/Tao-SAN-2012-05/
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://homepages.inf.ed.ac.uk/rbf/HIPR2/hough.htm
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://json.org
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kobesearch.cpan.org/htdocs/Math-Cephes/Math/Cephes.html
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lear.inrialpes.fr/src/deepmatching/
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: http://mathworld.wolfram.com/BinomialDistribution.html
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: http://mathworld.wolfram.com/CauchyDistribution.html
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF04000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: http://mathworld.wolfram.com/GammaDistribution.html
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: http://mathworld.wolfram.com/HypergeometricDistribution.html
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: http://mathworld.wolfram.com/LaplaceDistribution.html
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: http://mathworld.wolfram.com/LogisticDistribution.html
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: http://mathworld.wolfram.com/NegativeBinomialDistribution.html
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: http://mathworld.wolfram.com/NoncentralF-Distribution.html
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: http://mathworld.wolfram.com/PoissonDistribution.html
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mathworld.wolfram.com/SincFunction.html
Source: _decimal.pyd.20.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: _decimal.pyd.20.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: _decimal.pyd.20.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCE86000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCE86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pracrand.sourceforge.net/RNG_engines.txt
Source: staged_out.exe, 00000016.00000002.2273973720.00000295FD720000.00000004.00001000.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2273941997.00000295FD6D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: staged_out.exe, 00000016.00000003.2251888617.00000295FD177000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2273421053.00000295FD177000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://tip.tcl.tk/48)
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://torch.ch
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://torch.ch/)
Source: _decimal.pyd.20.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: _decimal.pyd.20.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: _decimal.pyd.20.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: staged_out.exe, 00000016.00000002.2273799570.00000295FD480000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ubuntuforums.org/showthread.php?t=1751455
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://underdestruction.com/2004/02/25/stackblur-2004.
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ams.org/journals/mcom/1988-51-184/
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2271903544.00000295F47D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.tut.fi/~foi/GCF-BM3D/BM3D_TIP_2007.pdf
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)Fz
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dai.ed.ac.uk/CVonline/LOCAL_COPIES/MANDUCHI1/Bilateral_Filtering.html
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gdal.org)
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gdal.org/formats_list.html)
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gdal.org/ogr_formats.html).
Source: staged_out.exe, 00000016.00000003.2251499316.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: staged_out.exe, 00000016.00000002.2271651715.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251499316.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/index.html
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2273941997.00000295FD6D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/character-sets
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2271903544.00000295F47D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r(
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ifp.illinois.edu/~vuongle2/helen/
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.inf.ufrgs.br/~eslgastal/DomainTransform/).
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.inf.ufrgs.br/~eslgastal/DomainTransform/).COLOR_SPACE_Lab_D75_2MORPH_CROSSCAP_PROP_DC1394
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: http://www.inference.org.uk/mackay/itila/
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ipol.im/pub/algo/bcm_non_local_means_denoising
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ipol.im/pub/algo/bcm_non_local_means_denoising/
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ipol.im/pub/art/2011/ys-dct/
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/JUMP/
Source: staged_out.exe, 00000016.00000003.2251193956.00000295FCF51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.math.sfu.ca/~cbm/aands/
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.math.sfu.ca/~cbm/aands/page_379.htm
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251811266.00000295FCF81000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF51000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCF51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.math.sfu.ca/~cbm/aands/page_69.htm
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.megginson.com/SAX/.
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.nightmare.com/squirl/python-ext/misc/syslog.py
Source: staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/documents.php
Source: staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/documents.php?wg_abbrev=office-formula
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pcg-random.org/
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pcg-random.org/posts/developing-a-seed_seq-alternative.html
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCE86000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCE86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pcg-random.org/posts/random-invertible-mapping-statistics.html
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2271946338.00000295F4830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.python.org/
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2273539712.00000295FD1B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: staged_out.exe, 00000016.00000002.2271502517.00000295F2610000.00000004.00001000.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.rfc-editor.org/rfc/rfc%d.txtz(http://www.python.org/dev/peps/pep-%04d/r2
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.robotstxt.org/norobots-rfc.txt
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scipy.org/not/real/data.txt
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208z
Source: staged_out.exe, 00000016.00000002.2271651715.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251499316.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xyz.edu/data
Source: staged_out.exe, 00000016.00000002.2270219476.0000000062EA2000.00000008.00000001.01000000.0000001D.sdmp, zlib1.dll.20.dr	String found in binary or memory: http://www.zlib.net/D
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://xml.python.org/entities/fragment-builder/internalz
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://xmlrpc.usefulinc.com/doc/reserved.html
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arxiv.org/abs/1704.04503
Source: staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://askubuntu.com/questions/697397/python3-is-not-supporting-gtk-module
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://code.google.com/archive/p/casadebender/wikis/Win32IconImagePlugin.wiki
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.metadata.html
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.resources.html
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/library/string.html#format-specification-mini-language
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.scipy.org/doc/numpy/reference/c-api.generalized-ufuncs.html
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.scipy.org/doc/numpy/user/basics.io.genfromtxt.html
Source: staged_out.exe, 00000016.00000002.2272421254.00000295FCCD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.scipy.org/doc/numpy/user/numpy-for-matlab-users.html).
Source: staged_out.exe, 00000016.00000003.2250204397.00000295FCF51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.wik
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://engineering.purdue.edu/~malcolm/pct/CTI_Ch03.pdf
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://exiv2.org/tags.html)
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/imneme/540829265469e673d045
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/NVIDIA/caffe.
Source: staged_out.exe, 00000016.00000002.2274006172.00000295FD770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/asweigart/pygetwindow
Source: staged_out.exe, 00000016.00000002.2274888906.00000295FDBD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/asweigart/pyperclip/issues/55
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/baidut/BIMEF).
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joblib/threadpoolctl
Source: staged_out.exe, 00000016.00000002.2273669702.00000295FD2E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/numpy/numpy/issues/4763
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2271847177.00000295F4570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/numpy/numpy/issues/8577
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/16736
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/16739
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/16739cv::MatOp_AddEx::assign
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/19634
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/19634cv::mjpeg::MjpegEncoder::MjpegEncodercv::mjpeg::MotionJ
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/20833
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/20833.
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/20833DNN/OpenCL:
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/21326
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/21326cv::initOpenEXRD:
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/5412.
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/6293
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/6293u-
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv_contrib/blob/master/modules/text/samples/OCRHMM_transitions_table.x
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv_contrib/blob/master/modules/text/samples/webcam_demo.cpp
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv_contrib/issues/2235
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv_contrib/issues/2235cv::text::extract_features(
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/openvinotoolkit/open_model_zoo/blob/master/models/public/yolo-v2-tiny-tf/yolo-v2-
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/pypa/packagingz
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2273765155.00000295FD440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-pillow/Pillow/
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC8DB000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC8DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.7/Objects/listsort.txt
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/torch/nn/blob/master/doc/module.md
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: staged_out.exe, 00000016.00000003.2252027013.00000295F2BAD000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2271694928.00000295F2BAE000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251499316.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://ipython.org
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: staged_out.exe, 00000016.00000002.2274929166.00000295FDC10000.00000004.00001000.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://mouseinfo.readthedocs.io
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://mouseinfo.readthedocs.ioaMouseInfoWindowu
Source: staged_out.exe, 00000016.00000003.2252027013.00000295F2BAD000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2271694928.00000295F2BAE000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251499316.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://numpy.org/devdocs/user/troubleshooting-importerror.html
Source: staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2271651715.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251555312.00000295FC8DB000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251499316.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC8DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://numpy.org/neps/nep-0032-remove-financial-functions.html
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onnx.ai/
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onnx.ai/)
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC8DB000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC8DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://people.eecs.berkeley.edu/~wkahan/Mindless.pdf
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC8DB000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC8DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://people.eecs.berkeley.edu/~wkahan/ieee754status/IEEE754.PDF
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pjreddie.com/darknet/
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pjreddie.com/darknet/)
Source: staged_out.exe, 00000016.00000002.2274929166.00000295FDC10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pyperclip.readthedocs.io/en/latest/index.html#not-implemented-error
Source: staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2271651715.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251555312.00000295FC8DB000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251499316.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC8DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/numpy-financial.
Source: staged_out.exe, 00000016.00000002.2273539712.00000295FD1B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/numpy-financial/).
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scipy-cookbook.readthedocs.io/items/Ctypes.html
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr7
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr7)
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://software.intel.com/openvino-toolkit)
Source: staged_out.exe, 00000016.00000002.2274888906.00000295FDBD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/18905702/python-ctypes-and-mutable-buffers
Source: staged_out.exe, 00000016.00000002.2274888906.00000295FDBD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/455434/how-should-i-use-formatmessage-properly-in-c
Source: staged_out.exe, 00000016.00000002.2273799570.00000295FD480000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/7648200/pip-install-pil-e-tickets-1-no-jpeg-png-support
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: https://stat.ethz.ch/~stahel/lognormal/bioscience.pdf
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2271847177.00000295F4570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tinyurl.com/y3dm3h86
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://tinyurl.com/y3dm3h86u
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: https://web.archive.org/web/20090423014010/http://www.brighton-webs.co.uk:80/distributions/wald.asp
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: https://web.archive.org/web/20090514091424/http://brighton-webs.co.uk:80/distributions/rayleigh.asp
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://web.archive.org/web/20120328125543/http://www.jpegcameras.com/libjpeg/libjpeg-3.html
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://web.archive.org/web/20170802060935/http://oss.sgi.com/projects/ogl-sample/registry/EXT/textu
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.cazabon.com
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.cazabon.com/pyCMS
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cs.hmc.edu/tr/hmc-cs-2014-0905.pdf
Source: _decimal.pyd.20.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: https://www.itl.nist.gov/div898/handbook/eda/section3/eda3663.htm
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: https://www.itl.nist.gov/div898/handbook/eda/section3/eda3666.htm
Source: apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	String found in binary or memory: https://www.itl.nist.gov/div898/software/dataplot/refman2/auxillar/powpdf.pdf
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.learnopencv.com/convex-hull-using-opencv-in-python-and-c/
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.learnopencv.com/convex-hull-using-opencv-in-python-and-c/cornersQualityOOOO
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.littlecms.com
Source: staged_out.exe, 00000016.00000002.2272572945.00000295FCE86000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCE86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.math.hmc.edu/~benjamin/papers/CombTrig.pdf
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mathworks.com/help/techdoc/ref/rank.html
Source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mia.uni-saarland.de/Publications/gwosdek-ssvm11.pdf
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.numpy.org/neps/nep-0001-npy-format.html
Source: staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openblas.net/
Source: staged_out.exe, 00000016.00000002.2271754317.00000295F2C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.pygame.org/contribute.html
Source: staged_out.exe, 00000016.00000002.2271754317.00000295F2C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.pygame.org/docs/ref/color_list.html
Source: staged_out.exe, 00000016.00000002.2273637841.00000295FD290000.00000004.00001000.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0506/
Source: staged_out.exe, 00000016.00000003.2252027013.00000295F2BAD000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2271694928.00000295F2BAE000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251499316.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.scipy.org
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tensorflow.org/
Source: apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tensorflow.org/)

System Summary

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 6.2.rkn.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 7.0.rkn.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 7.2.rkn.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 6.0.rkn.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 10.2.rkn.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 10.0.rkn.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000006.00000000.1716817368.0000000000583000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.1859570340.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.1859480878.0000000000584000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000006.00000002.2394995201.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000A.00000002.1906067523.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000006.00000002.2394739280.0000000000584000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000000.1720009194.0000000000583000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000A.00000002.1905614691.0000000000584000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000A.00000000.1748245426.0000000000583000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rkn[1].log, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\rkn.exe, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_014F7EC8 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,	6_2_014F7EC8
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 7_2_005D7EC8 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,	7_2_005D7EC8
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 10_2_01517EC8 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,	10_2_01517EC8

Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_014F7EC8	6_2_014F7EC8
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_014F3534	6_2_014F3534
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_014F47EC	6_2_014F47EC
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_014F4C1C	6_2_014F4C1C
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_014F4410	6_2_014F4410
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_014F56D0	6_2_014F56D0
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 7_2_005D7EC8	7_2_005D7EC8
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 7_2_005D4C1C	7_2_005D4C1C
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 7_2_005D4410	7_2_005D4410
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 7_2_005D56D0	7_2_005D56D0
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 7_2_005D3534	7_2_005D3534
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 7_2_005D47EC	7_2_005D47EC
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 10_2_01517EC8	10_2_01517EC8
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 10_2_01513534	10_2_01513534
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 10_2_015147EC	10_2_015147EC
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 10_2_01514410	10_2_01514410
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 10_2_01514C1C	10_2_01514C1C
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 10_2_015156D0	10_2_015156D0
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF63850AC90	20_2_00007FF63850AC90
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638508D80	20_2_00007FF638508D80
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF6385015A0	20_2_00007FF6385015A0
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638517190	20_2_00007FF638517190
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638502D70	20_2_00007FF638502D70
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638510E28	20_2_00007FF638510E28
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638507A30	20_2_00007FF638507A30
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF6385111C0	20_2_00007FF6385111C0
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638502250	20_2_00007FF638502250
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638504250	20_2_00007FF638504250
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF63851F668	20_2_00007FF63851F668
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638513E70	20_2_00007FF638513E70
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638507E70	20_2_00007FF638507E70
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638503F00	20_2_00007FF638503F00
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF6385102C0	20_2_00007FF6385102C0
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF6385106C8	20_2_00007FF6385106C8
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF63851BB70	20_2_00007FF63851BB70
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638518370	20_2_00007FF638518370
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638502B60	20_2_00007FF638502B60
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638509430	20_2_00007FF638509430
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF63851C00C	20_2_00007FF63851C00C
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638517810	20_2_00007FF638517810
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF6385063F0	20_2_00007FF6385063F0
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638502080	20_2_00007FF638502080
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638511C88	20_2_00007FF638511C88
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638511850	20_2_00007FF638511850
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF638516CFC	20_2_00007FF638516CFC
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF6385104C4	20_2_00007FF6385104C4
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_62E8A2BB	22_2_62E8A2BB
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_62E8B3B0	22_2_62E8B3B0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_62E81C90	22_2_62E81C90
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_62E83C40	22_2_62E83C40
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_62E82960	22_2_62E82960
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_62E82110	22_2_62E82110
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_62E83510	22_2_62E83510
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67883FA0	22_2_67883FA0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_678837D0	22_2_678837D0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67884BD0	22_2_67884BD0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67883BE0	22_2_67883BE0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67882300	22_2_67882300
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67883320	22_2_67883320
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67882E80	22_2_67882E80
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67882A90	22_2_67882A90
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67892EA0	22_2_67892EA0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67886EB0	22_2_67886EB0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6788DAE0	22_2_6788DAE0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67891AE0	22_2_67891AE0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67894200	22_2_67894200
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6788C660	22_2_6788C660
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67881490	22_2_67881490
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67885CC0	22_2_67885CC0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_678924D0	22_2_678924D0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6788E410	22_2_6788E410
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67882050	22_2_67882050
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67881860	22_2_67881860
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B4B0B0	22_2_68B4B0B0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B4C1F0	22_2_68B4C1F0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B442F0	22_2_68B442F0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B64209	22_2_68B64209
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B4EB80	22_2_68B4EB80
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B623E0	22_2_68B623E0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B58BC0	22_2_68B58BC0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B5F300	22_2_68B5F300
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B664C6	22_2_68B664C6
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B515A0	22_2_68B515A0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B58590	22_2_68B58590
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B4A5F0	22_2_68B4A5F0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B62710	22_2_68B62710
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B4F700	22_2_68B4F700
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B45760	22_2_68B45760
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_69A025F0	22_2_69A025F0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_69A341D1	22_2_69A341D1
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_69A2A530	22_2_69A2A530
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_69A068E0	22_2_69A068E0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_69A11730	22_2_69A11730
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_69A08B70	22_2_69A08B70
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A896ED0	22_2_6A896ED0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A88EF80	22_2_6A88EF80
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A890B92	22_2_6A890B92
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A8923A0	22_2_6A8923A0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A889BF0	22_2_6A889BF0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A88DBF0	22_2_6A88DBF0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A893BF0	22_2_6A893BF0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A881F50	22_2_6A881F50
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A893360	22_2_6A893360
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A88A370	22_2_6A88A370
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A894C8F	22_2_6A894C8F
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A884C90	22_2_6A884C90
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A895C90	22_2_6A895C90
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A88A8D0	22_2_6A88A8D0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A8874D0	22_2_6A8874D0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A88A8D2	22_2_6A88A8D2
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A8858F0	22_2_6A8858F0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A881820	22_2_6A881820
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A886590	22_2_6A886590
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A8911D3	22_2_6A8911D3
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A8901E0	22_2_6A8901E0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A88C920	22_2_6A88C920
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A887D20	22_2_6A887D20
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A889130	22_2_6A889130
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A886D40	22_2_6A886D40
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE82AE0	22_2_6AE82AE0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEC7AB0	22_2_6AEC7AB0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE95A90	22_2_6AE95A90
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE8ABD0	22_2_6AE8ABD0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE9AB70	22_2_6AE9AB70
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AED6B70	22_2_6AED6B70
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEB0B40	22_2_6AEB0B40
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE97B50	22_2_6AE97B50
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE8FB10	22_2_6AE8FB10
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEA88C0	22_2_6AEA88C0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEB8860	22_2_6AEB8860
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AECE850	22_2_6AECE850
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEB1820	22_2_6AEB1820
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEBC9F0	22_2_6AEBC9F0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEC49A0	22_2_6AEC49A0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE96EA0	22_2_6AE96EA0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEC5EB0	22_2_6AEC5EB0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEA6E20	22_2_6AEA6E20
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE89FE0	22_2_6AE89FE0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEAFF70	22_2_6AEAFF70
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEADF50	22_2_6AEADF50
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEC1CF0	22_2_6AEC1CF0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEC3CA0	22_2_6AEC3CA0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEAAC90	22_2_6AEAAC90
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEB8C70	22_2_6AEB8C70
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEB5D70	22_2_6AEB5D70
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEB3D20	22_2_6AEB3D20
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE9A2E0	22_2_6AE9A2E0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEE02F0	22_2_6AEE02F0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEC72C0	22_2_6AEC72C0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEDD270	22_2_6AEDD270
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE9F3B0	22_2_6AE9F3B0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE8A360	22_2_6AE8A360
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEDE350	22_2_6AEDE350
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEDF350	22_2_6AEDF350
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE900E0	22_2_6AE900E0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEE50B0	22_2_6AEE50B0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEAD060	22_2_6AEAD060
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEA0010	22_2_6AEA0010
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AECB010	22_2_6AECB010
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE95110	22_2_6AE95110
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AE9B6F0	22_2_6AE9B6F0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEC64F1	22_2_6AEC64F1
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AED44B0	22_2_6AED44B0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEB65B0	22_2_6AEB65B0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AED6550	22_2_6AED6550
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_71002B30	22_2_71002B30
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_710017C0	22_2_710017C0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_710023D0	22_2_710023D0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_71003820	22_2_71003820
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_71003E40	22_2_71003E40
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_710030A0	22_2_710030A0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\apt66ext[1].log 7FF47DCE0AD262F4C0818170213A2A5C97B098258F5B2E85B3DF5A48EED05183
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\apt66ext.exe 7FF47DCE0AD262F4C0818170213A2A5C97B098258F5B2E85B3DF5A48EED05183
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imaging.pyd 6D21AC76315885570BDCBF7B54CDD212E430F4CA2708F6F641EB5F6FEEAFC6E2

Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: String function: 68B46740 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: String function: 67895E38 appears 140 times
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: String function: 71005D80 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: String function: 68B46150 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: String function: 67895EA0 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: String function: 68B46530 appears 166 times
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: String function: 6A8990A0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: String function: 6A8991C8 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: String function: 6A899180 appears 52 times

Source: sdl2.dll.20.dr	Static PE information: Number of sections : 12 > 10
Source: sdl2_mixer.dll.20.dr	Static PE information: Number of sections : 12 > 10
Source: sdl2_ttf.dll.20.dr	Static PE information: Number of sections : 12 > 10
Source: libjpeg-9.dll.20.dr	Static PE information: Number of sections : 11 > 10
Source: zlib1.dll.20.dr	Static PE information: Number of sections : 12 > 10
Source: sdl2_image.dll.20.dr	Static PE information: Number of sections : 12 > 10
Source: libpng16-16.dll.20.dr	Static PE information: Number of sections : 11 > 10
Source: cv2.pyd.20.dr	Static PE information: Number of sections : 11 > 10
Source: libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll.20.dr	Static PE information: Number of sections : 19 > 10
Source: libfreetype-6.dll.20.dr	Static PE information: Number of sections : 12 > 10

Source: python3.dll.20.dr

Static PE information: No import functions for PE file found

Source: FFbd.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 6.2.rkn.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 7.0.rkn.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 7.2.rkn.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 6.0.rkn.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 10.2.rkn.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 10.0.rkn.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000006.00000000.1716817368.0000000000583000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000002.1859570340.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000002.1859480878.0000000000584000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000006.00000002.2394995201.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000A.00000002.1906067523.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000006.00000002.2394739280.0000000000584000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000000.1720009194.0000000000583000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000A.00000002.1905614691.0000000000584000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000A.00000000.1748245426.0000000000583000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rkn[1].log, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\user\AppData\Local\Temp\rkn.exe, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: qt5core.dll.20.dr

Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317

Source: classification engine

Classification label: mal100.evad.winDLL@43/179@0/1

Source: unity[1].pdf.7.dr

Initial sample: mailto:trademarks@unity.com

Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe

Code function: 20_2_00007FF63850AB70 GetProcessId,GenerateConsoleCtrlEvent,GetLastError,FormatMessageA,WaitForSingleObject,CloseHandle,SHFileOperationW,

20_2_00007FF63850AB70

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rkn[2].log

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_03

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Temp\rkn.exe

Source: FFbd.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\rkn.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FFbd.dll,apt66

Source: FFbd.dll

Virustotal: Detection: 9%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\FFbd.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FFbd.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FFbd.dll,apt66
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FFbd.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FFbd.dll",apt66
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\rkn.exe "C:\Users\user\AppData\Local\Temp\rkn.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\rkn.exe "C:\Users\user\AppData\Local\Temp\rkn.exe"
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\unity.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\rkn.exe "C:\Users\user\AppData\Local\Temp\rkn.exe"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1668,i,5790033669171981686,32294422139624892,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\unity.pdf"
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\unity.pdf"
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process created: C:\Users\user\AppData\Local\Temp\apt66ext.exe "C:\Users\user\AppData\Local\Temp\apt66ext.exe"
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe "C:\Users\user\AppData\Local\Temp\apt66ext.exe"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FFbd.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\FFbd.dll,apt66	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FFbd.dll",apt66	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FFbd.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\rkn.exe "C:\Users\user\AppData\Local\Temp\rkn.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\rkn.exe "C:\Users\user\AppData\Local\Temp\rkn.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\rkn.exe "C:\Users\user\AppData\Local\Temp\rkn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\unity.pdf"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process created: C:\Users\user\AppData\Local\Temp\apt66ext.exe "C:\Users\user\AppData\Local\Temp\apt66ext.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\unity.pdf"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1668,i,5790033669171981686,32294422139624892,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\unity.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe "C:\Users\user\AppData\Local\Temp\apt66ext.exe"

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: python37.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: sdl2.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: sdl2_image.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: libpng16-16.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: libjpeg-9.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: zlib1.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: sdl2_ttf.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: libfreetype-6.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: sdl2_mixer.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: libopenblas.wcdjnk7yvmpzq2me2zzhjjrj3jikndb7.gfortran-win_amd64.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: tcl86t.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: tk86t.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: logoncli.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: mfreadwrite.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: mfcore.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: ksuser.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Section loaded: umpdc.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: FFbd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FFbd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FFbd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FFbd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FFbd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FFbd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: FFbd.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: FFbd.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\narut\source\repos\stage2test\Release\stage2test.pdb source: FFbd.dll
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.20.dr
Source:	Binary string: ~/.pdbrc source: staged_out.exe, 00000016.00000002.2274762745.00000295FDB10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1g 21 Apr 2020built on: Fri Jun 12 19:40:20 2020 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.20.dr
Source:	Binary string: .pdbrc source: staged_out.exe, 00000016.00000002.2274762745.00000295FDB10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: placed in the .pdbrc file): source: staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2273421053.00000295FD16A000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251888617.00000295FD169000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: -c are executed after commands from .pdbrc files. source: staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb source: _decimal.pyd.20.dr
Source:	Binary string: If a file ".pdbrc" exists in your home directory or in the current source: staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2273403885.00000295FD168000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\narut\source\repos\shellcoderunner\Release\shellcoderunner.pdb source: rkn.exe, 00000006.00000000.1716807213.0000000000582000.00000002.00000001.01000000.00000005.sdmp, rkn.exe, 00000006.00000002.2394697025.0000000000582000.00000002.00000001.01000000.00000005.sdmp, rkn.exe, 00000007.00000000.1719993020.0000000000582000.00000002.00000001.01000000.00000005.sdmp, rkn.exe, 00000007.00000002.1859446569.0000000000582000.00000002.00000001.01000000.00000005.sdmp, rkn.exe, 0000000A.00000000.1748192962.0000000000582000.00000002.00000001.01000000.00000005.sdmp, rkn.exe, 0000000A.00000002.1905527280.0000000000582000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: T.pdb source: rkn.exe, 00000006.00000002.2395016615.0000000001500000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 00000007.00000002.1859593411.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 0000000A.00000002.1906141293.0000000001520000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Initial commands are read from .pdbrc files in your home directory source: staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.20.dr
Source:	Binary string: .pdbrc source: staged_out.exe, 00000016.00000002.2274762745.00000295FDB10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ~/.pdbrcz source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\opencv-python\opencv-python\_skbuild\win-amd64-3.7\cmake-build\lib\python3\Release\cv2.pdb source: apt66ext.exe, 00000014.00000003.2229701481.0000017004268000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :jC:\Users\narut\source\repos\stage2test\Release\stage2test.pdb source: FFbd.dll
Source:	Binary string: C:\Users\narut\source\repos\fromshellcode\Release\fromshellcode.pdb source: rkn.exe, 00000006.00000002.2395343407.0000000002FC3000.00000002.10000000.00040000.00000000.sdmp, rkn.exe, 00000006.00000002.2395272404.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 00000007.00000002.1859609747.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 00000007.00000002.1859676876.00000000009D3000.00000002.10000000.00040000.00000000.sdmp, rkn.exe, 0000000A.00000002.1906412300.0000000001690000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 0000000A.00000002.1906499521.00000000016A3000.00000002.10000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\narut\source\repos\shellcoderunner\Release\shellcoderunner.pdb source: rkn.exe, 00000006.00000000.1716807213.0000000000582000.00000002.00000001.01000000.00000005.sdmp, rkn.exe, 00000006.00000002.2394697025.0000000000582000.00000002.00000001.01000000.00000005.sdmp, rkn.exe, 00000007.00000000.1719993020.0000000000582000.00000002.00000001.01000000.00000005.sdmp, rkn.exe, 00000007.00000002.1859446569.0000000000582000.00000002.00000001.01000000.00000005.sdmp, rkn.exe, 0000000A.00000000.1748192962.0000000000582000.00000002.00000001.01000000.00000005.sdmp, rkn.exe, 0000000A.00000002.1905527280.0000000000582000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: .pdbrc) source: staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtdeclarative\lib\Qt5Qml.pdb source: apt66ext.exe, 00000014.00000003.2229701481.0000017005524000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\narut\source\repos\fromshellcode\Release\fromshellcode.pdb source: rkn.exe, 00000006.00000002.2395343407.0000000002FC3000.00000002.10000000.00040000.00000000.sdmp, rkn.exe, 00000006.00000002.2395272404.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 00000007.00000002.1859609747.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 00000007.00000002.1859676876.00000000009D3000.00000002.10000000.00040000.00000000.sdmp, rkn.exe, 0000000A.00000002.1906412300.0000000001690000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 0000000A.00000002.1906499521.00000000016A3000.00000002.10000000.00040000.00000000.sdmp
Source:	Binary string: The standard debugger class (pdb.Pdb) is an example. source: staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250931979.00000295FCF99000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272958187.00000295FCFC5000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251695950.00000295FCFBF000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2252140280.00000295FCFC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_decimal.pdb$$ source: _decimal.pyd.20.dr

Source: FFbd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FFbd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FFbd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FFbd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FFbd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: apt66ext.exe.6.dr	Static PE information: section name: _RDATA
Source: apt66ext[1].log.6.dr	Static PE information: section name: _RDATA
Source: staged_out.exe.20.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.20.dr	Static PE information: section name: .00cfg
Source: libfreetype-6.dll.20.dr	Static PE information: section name: .xdata
Source: libjpeg-9.dll.20.dr	Static PE information: section name: .xdata
Source: libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll.20.dr	Static PE information: section name: .xdata
Source: libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll.20.dr	Static PE information: section name: /4
Source: libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll.20.dr	Static PE information: section name: /19
Source: libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll.20.dr	Static PE information: section name: /31
Source: libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll.20.dr	Static PE information: section name: /45
Source: libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll.20.dr	Static PE information: section name: /57
Source: libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll.20.dr	Static PE information: section name: /70
Source: libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll.20.dr	Static PE information: section name: /81
Source: libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll.20.dr	Static PE information: section name: /92
Source: libpng16-16.dll.20.dr	Static PE information: section name: .xdata
Source: libssl-1_1.dll.20.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.20.dr	Static PE information: section name: .didat
Source: qt5core.dll.20.dr	Static PE information: section name: .qtmimed
Source: sdl2.dll.20.dr	Static PE information: section name: .xdata
Source: sdl2_image.dll.20.dr	Static PE information: section name: .xdata
Source: sdl2_mixer.dll.20.dr	Static PE information: section name: .xdata
Source: sdl2_ttf.dll.20.dr	Static PE information: section name: .xdata
Source: vcruntime140.dll.20.dr	Static PE information: section name: _RDATA
Source: zlib1.dll.20.dr	Static PE information: section name: .xdata
Source: qsvgicon.dll.20.dr	Static PE information: section name: .qtmetad
Source: qgif.dll.20.dr	Static PE information: section name: .qtmetad
Source: qicns.dll.20.dr	Static PE information: section name: .qtmetad
Source: qico.dll.20.dr	Static PE information: section name: .qtmetad
Source: qjpeg.dll.20.dr	Static PE information: section name: .qtmetad
Source: qsvg.dll.20.dr	Static PE information: section name: .qtmetad
Source: qtga.dll.20.dr	Static PE information: section name: .qtmetad
Source: qtiff.dll.20.dr	Static PE information: section name: .qtmetad
Source: qwbmp.dll.20.dr	Static PE information: section name: .qtmetad
Source: qwebp.dll.20.dr	Static PE information: section name: .qtmetad
Source: dsengine.dll.20.dr	Static PE information: section name: .qtmetad
Source: qtmedia_audioengine.dll.20.dr	Static PE information: section name: .qtmetad
Source: wmfengine.dll.20.dr	Static PE information: section name: .qtmetad
Source: qminimal.dll.20.dr	Static PE information: section name: .qtmetad
Source: qoffscreen.dll.20.dr	Static PE information: section name: .qtmetad
Source: qwebgl.dll.20.dr	Static PE information: section name: .qtmetad
Source: qwindows.dll.20.dr	Static PE information: section name: .qtmetad
Source: qxdgdesktopportal.dll.20.dr	Static PE information: section name: .qtmetad
Source: windowsprintersupport.dll.20.dr	Static PE information: section name: .qtmetad
Source: qwindowsvistastyle.dll.20.dr	Static PE information: section name: .qtmetad
Source: math.pyd.20.dr	Static PE information: section name: _RDATA
Source: cv2.pyd.20.dr	Static PE information: section name: IPPCODE
Source: cv2.pyd.20.dr	Static PE information: section name: IPPDATA
Source: cv2.pyd.20.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_014F2B53 push ebx; ret	6_2_014F2B54
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_014F0DB2 push esp; retf	6_2_014F0DB8
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 7_2_005D2B53 push ebx; ret	7_2_005D2B54
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 7_2_005D0DB2 push esp; retf	7_2_005D0DB8
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 10_2_01512B53 push ebx; ret	10_2_01512B54
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 10_2_01510DB2 push esp; retf	10_2_01510DB8
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_62E9642E push rbx; ret	22_2_62E9642F
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67895923 push rbp; retf	22_2_67895924
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_69A367D0 push rax; iretd	22_2_69A367D1
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEECA88 push rax; iretd	22_2_6AEECA89
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEE9B65 push rbp; retn 0001h	22_2_6AEE9B73

Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\mediaservice\dsengine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imagingcms.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\core\_multiarray_umath.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\surflock.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\sdl2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\joystick.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\python37.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imagingtk.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\linalg\lapack_lite.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\mask.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libjpeg-9.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\color.pyd	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\rkn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\event.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imaging.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libeay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\apt66ext[1].log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_pcg64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5gui.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\ssleay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\mediaservice\wmfengine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\zlib1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_bounded_integers.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\bufferproxy.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_webp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_generator.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5widgets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\sdl2_mixer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\key.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\tk86t.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_common.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5printsupport.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\sip.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\mixer_music.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\scrap.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\concrt140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\draw.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_cffi_backend.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5websockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\rwobject.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\math.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\mtrand.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\image.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\transform.pyd	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rkn[1].log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\bit_generator.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	File created: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\pixelarray.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\sdl2_image.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\font.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\mixer.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_sfc64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_philox.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\cv2\cv2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\core\_multiarray_tests.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\sdl2_ttf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\imageext.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\base.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libpng16-16.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\display.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\printsupport\windowsprintersupport.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libfreetype-6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\tcl86t.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\linalg\_umath_linalg.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imagingft.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\_freetype.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5multimedia.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_mt19937.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\time.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\surface.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\pixelcopy.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\mediaservice\qtmedia_audioengine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\constants.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\rect.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5dbus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\fft\_pocketfft_internal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5qmlmodels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\mouse.pyd	Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rkn[1].log			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\apt66ext[1].log			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\mediaservice\dsengine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imagingcms.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\core\_multiarray_umath.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\surflock.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\joystick.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imagingtk.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\linalg\lapack_lite.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\mask.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\color.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\event.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imaging.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libeay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_pcg64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5gui.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\ssleay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\mediaservice\wmfengine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_bounded_integers.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\bufferproxy.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_webp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_generator.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5widgets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\key.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_common.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5printsupport.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\sip.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\scrap.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\mixer_music.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\concrt140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\draw.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_cffi_backend.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5websockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\rwobject.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\math.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\mtrand.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\image.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\transform.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\bit_generator.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\pixelarray.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\font.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\mixer.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_sfc64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_philox.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\cv2\cv2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\core\_multiarray_tests.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\imageext.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\base.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\display.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\printsupport\windowsprintersupport.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\linalg\_umath_linalg.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imagingft.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\_freetype.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5multimedia.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_mt19937.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\surface.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\time.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\pixelcopy.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\mediaservice\qtmedia_audioengine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\constants.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\rect.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5dbus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\fft\_pocketfft_internal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5qmlmodels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\mouse.pyd	Jump to dropped file

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe

Code function: 20_2_00007FF638518370 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,

20_2_00007FF638518370

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

System process connects to network (likely due to code injection or exploit)

Source: rundll32.exe, 00000004.00000002.1861211680.0000000002AAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: rkn.exe, 00000007.00000002.1859848122.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: rkn.exe, 0000000A.00000002.1906582152.0000000001767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh*\|
Source: rundll32.exe, 00000005.00000002.1908626749.000000000291A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: rkn.exe, 00000007.00000002.1859848122.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWKS@
Source: rundll32.exe, 00000003.00000002.2396183226.000000000309A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2396183226.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861211680.0000000002B04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1908626749.0000000002977000.00000004.00000020.00020000.00000000.sdmp, rkn.exe, 00000006.00000002.2395036782.000000000151E000.00000004.00000020.00020000.00000000.sdmp, rkn.exe, 00000006.00000002.2395036782.0000000001576000.00000004.00000020.00020000.00000000.sdmp, rkn.exe, 00000007.00000002.1859848122.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, rkn.exe, 00000007.00000002.1859848122.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp, rkn.exe, 0000000A.00000002.1906582152.00000000017BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\rkn.exe

Code function: 6_2_00581668 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_00581668

Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe

Code function: 20_2_00007FF63851A11C GetProcessHeap,

20_2_00007FF63851A11C

Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_005817CB SetUnhandledExceptionFilter,	6_2_005817CB
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_00581668 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00581668
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_00581904 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00581904
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_02FC1AC6 SetUnhandledExceptionFilter,	6_2_02FC1AC6
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_02FC1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_02FC1963
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 6_2_02FC1C04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_02FC1C04
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 7_2_009D1AC6 SetUnhandledExceptionFilter,	7_2_009D1AC6
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 7_2_009D1C04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_009D1C04
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 7_2_009D1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_009D1963
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 10_2_016A1963 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_016A1963
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 10_2_016A1C04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_016A1C04
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Code function: 10_2_016A1AC6 SetUnhandledExceptionFilter,	10_2_016A1AC6
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF63850BD58 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00007FF63850BD58
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF63850B600 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00007FF63850B600
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF63850BF3C SetUnhandledExceptionFilter,	20_2_00007FF63850BF3C
Source: C:\Users\user\AppData\Local\Temp\apt66ext.exe	Code function: 20_2_00007FF6385148F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00007FF6385148F0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_62E925B6 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	22_2_62E925B6
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_67895016 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	22_2_67895016
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_68B632A6 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	22_2_68B632A6
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_69A2C3D0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_69A2C3D0
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6A8982C6 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	22_2_6A8982C6
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_6AEE6866 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	22_2_6AEE6866
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Code function: 22_2_71004FA6 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	22_2_71004FA6

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 121.127.33.39 80

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\FFbd.dll",#1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\unity.pdf"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\unity.pdf"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rkn.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\unity.pdf"

Source: C:\Users\user\AppData\Local\Temp\rkn.exe

Code function: 6_2_00581A26 cpuid

6_2_00581A26

Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024 VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\rkn.exe

Code function: 6_2_0058154F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_0058154F

Source: C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FFbd.dll	11%	ReversingLabs
FFbd.dll	9%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rkn[1].log	100%	Avira	HEUR/AGEN.1318484
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rkn[1].log	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rkn[1].log	63%	ReversingLabs	Win32.Exploit.DonutMarte
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\apt66ext[1].log	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\apt66ext.exe	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imaging.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imagingcms.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imagingft.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imagingtk.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_webp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\QtCore.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\QtGui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\QtWidgets.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\iconengines\qsvgicon.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qgif.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qicns.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qico.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qjpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qsvg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qtga.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qtiff.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qwbmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qwebp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\mediaservice\dsengine.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\mediaservice\qtmedia_audioengine.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\mediaservice\wmfengine.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qminimal.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qoffscreen.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qwebgl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qwindows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platformthemes\qxdgdesktopportal.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\printsupport\windowsprintersupport.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\styles\qwindowsvistastyle.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\sip.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_cffi_backend.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_elementtree.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_hashlib.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://torch.ch/)	0%	Avira URL Cloud	safe
http://www.scipy.org/not/real/data.txt	0%	Avira URL Cloud	safe
http://www.megginson.com/SAX/.	0%	Avira URL Cloud	safe
https://onnx.ai/)	0%	Avira URL Cloud	safe
http://caffe.berkeleyvision.org/)	0%	Avira URL Cloud	safe
https://web.archive.org/web/20090514091424/http://brighton-webs.co.uk:80/distributions/rayleigh.asp	0%	Avira URL Cloud	safe
https://github.com/opencv/opencv/issues/19634cv::mjpeg::MjpegEncoder::MjpegEncodercv::mjpeg::MotionJ	0%	Avira URL Cloud	safe
http://torch.ch/)	0%	Virustotal		Browse
http://121.127.33.39/rkn.log	100%	Avira URL Cloud	malware
http://www.scipy.org/not/real/data.txt	0%	Virustotal		Browse
https://onnx.ai/)	0%	Virustotal		Browse
https://web.archive.org/web/20170802060935/http://oss.sgi.com/projects/ogl-sample/registry/EXT/textu	0%	Avira URL Cloud	safe
http://121.127.33.39/apt66ext.log	0%	Avira URL Cloud	safe
https://web.archive.org/web/20090514091424/http://brighton-webs.co.uk:80/distributions/rayleigh.asp	0%	Virustotal		Browse
http://www.megginson.com/SAX/.	2%	Virustotal		Browse
https://github.com/opencv/opencv/issues/19634cv::mjpeg::MjpegEncoder::MjpegEncodercv::mjpeg::MotionJ	0%	Virustotal		Browse
https://numpy.org/neps/nep-0032-remove-financial-functions.html	0%	Avira URL Cloud	safe
https://web.archive.org/web/20170802060935/http://oss.sgi.com/projects/ogl-sample/registry/EXT/textu	0%	Virustotal		Browse
http://docs.python.org/library/unittest.html	0%	Avira URL Cloud	safe
http://121.127.33.39/rkn.log	11%	Virustotal		Browse
https://github.com/opencv/opencv/issues/6293	0%	Avira URL Cloud	safe
https://github.com/opencv/opencv/issues/16739	0%	Avira URL Cloud	safe
https://github.com/opencv/opencv/issues/16736	0%	Avira URL Cloud	safe
https://numpy.org/neps/nep-0032-remove-financial-functions.html	0%	Virustotal		Browse
https://www.math.hmc.edu/~benjamin/papers/CombTrig.pdf	0%	Avira URL Cloud	safe
http://docs.python.org/library/unittest.html	0%	Virustotal		Browse
https://github.com/torch/nn/blob/master/doc/module.md	0%	Avira URL Cloud	safe
https://github.com/opencv/opencv/issues/16739	0%	Virustotal		Browse
http://caffe.berkeleyvision.org/)	0%	Virustotal		Browse
http://121.127.33.39/apt66ext.log	1%	Virustotal		Browse
https://github.com/opencv/opencv/issues/6293	0%	Virustotal		Browse
https://github.com/opencv/opencv/issues/16736	0%	Virustotal		Browse
https://refspecs.linuxfoundation.org/elf/gabi4	0%	Avira URL Cloud	safe
https://www.littlecms.com	0%	Avira URL Cloud	safe
http://121.127.33.39/apt66ext.logy	0%	Avira URL Cloud	safe
http://curl.haxx.se/rfc/cookie_spec.html	0%	Avira URL Cloud	safe
https://www.math.hmc.edu/~benjamin/papers/CombTrig.pdf	0%	Virustotal		Browse
https://refspecs.linuxfoundation.org/elf/gabi4	0%	Virustotal		Browse
http://speleotrove.com/decimal/decarith.html	0%	Avira URL Cloud	safe
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	0%	Avira URL Cloud	safe
http://www.gdal.org/ogr_formats.html).	0%	Avira URL Cloud	safe
https://github.com/torch/nn/blob/master/doc/module.md	0%	Virustotal		Browse
http://curl.haxx.se/rfc/cookie_spec.html	0%	Virustotal		Browse
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr7	0%	Avira URL Cloud	safe
https://github.com/numpy/numpy/issues/8577	0%	Avira URL Cloud	safe
http://arxiv.org/abs/1805.10941.	0%	Avira URL Cloud	safe
https://www.littlecms.com	0%	Virustotal		Browse
http://www.gdal.org/ogr_formats.html).	0%	Virustotal		Browse
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	0%	Virustotal		Browse
https://stackoverflow.com/questions/7648200/pip-install-pil-e-tickets-1-no-jpeg-png-support	0%	Avira URL Cloud	safe
http://json.org	0%	Avira URL Cloud	safe
https://www.tensorflow.org/)	0%	Avira URL Cloud	safe
http://speleotrove.com/decimal/decarith.html	0%	Virustotal		Browse
http://xml.python.org/entities/fragment-builder/internalz	0%	Avira URL Cloud	safe
http://arxiv.org/abs/1805.10941.	0%	Virustotal		Browse
https://exiv2.org/tags.html)	0%	Avira URL Cloud	safe
https://github.com/numpy/numpy/issues/8577	0%	Virustotal		Browse
http://json.org	0%	Virustotal		Browse
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr7	0%	Virustotal		Browse
http://mathworld.wolfram.com/NegativeBinomialDistribution.html	0%	Avira URL Cloud	safe
https://stackoverflow.com/questions/7648200/pip-install-pil-e-tickets-1-no-jpeg-png-support	0%	Virustotal		Browse
https://github.com/opencv/opencv_contrib/blob/master/modules/text/samples/OCRHMM_transitions_table.x	0%	Avira URL Cloud	safe
https://www.itl.nist.gov/div898/software/dataplot/refman2/auxillar/powpdf.pdf	0%	Avira URL Cloud	safe
http://xml.python.org/entities/fragment-builder/internalz	0%	Virustotal		Browse
https://exiv2.org/tags.html)	1%	Virustotal		Browse
https://www.pygame.org/contribute.html	0%	Avira URL Cloud	safe
https://www.tensorflow.org/)	0%	Virustotal		Browse
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	Avira URL Cloud	safe
http://mathworld.wolfram.com/NegativeBinomialDistribution.html	0%	Virustotal		Browse
http://www.oasis-open.org/committees/documents.php	0%	Avira URL Cloud	safe
https://www.itl.nist.gov/div898/software/dataplot/refman2/auxillar/powpdf.pdf	0%	Virustotal		Browse
http://www.pcg-random.org/posts/developing-a-seed_seq-alternative.html	0%	Avira URL Cloud	safe
https://www.pygame.org/contribute.html	0%	Virustotal		Browse
https://github.com/pypa/packagingz	0%	Avira URL Cloud	safe
https://github.com/opencv/opencv_contrib/issues/2235	0%	Avira URL Cloud	safe
http://www.oasis-open.org/committees/documents.php	0%	Virustotal		Browse
https://github.com/numpy/numpy/issues/4763	0%	Avira URL Cloud	safe
http://mathworld.wolfram.com/CauchyDistribution.html	0%	Avira URL Cloud	safe
https://github.com/pypa/packagingz	0%	Virustotal		Browse
http://www.pcg-random.org/posts/developing-a-seed_seq-alternative.html	0%	Virustotal		Browse
http://www.inf.ufrgs.br/~eslgastal/DomainTransform/).COLOR_SPACE_Lab_D75_2MORPH_CROSSCAP_PROP_DC1394	0%	Avira URL Cloud	safe
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.476.5736&rep=rep1&type=pdf	0%	Avira URL Cloud	safe
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	Virustotal		Browse
http://graphics.berkeley.edu/papers/Tao-SAN-2012-05/	0%	Avira URL Cloud	safe
http://www.zlib.net/D	0%	Avira URL Cloud	safe
https://github.com/opencv/opencv_contrib/blob/master/modules/text/samples/OCRHMM_transitions_table.x	0%	Virustotal		Browse
https://onnx.ai/	0%	Avira URL Cloud	safe
https://software.intel.com/openvino-toolkit)	0%	Avira URL Cloud	safe
http://caffe.berkeleyvision.org	0%	Avira URL Cloud	safe
https://askubuntu.com/questions/697397/python3-is-not-supporting-gtk-module	0%	Avira URL Cloud	safe
https://github.com/jaraco/jaraco.functools/issues/5	0%	Avira URL Cloud	safe
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	0%	Avira URL Cloud	safe
https://pypi.org/project/numpy-financial.	0%	Avira URL Cloud	safe
https://mahler:8092/site-updates.py	0%	Avira URL Cloud	safe
https://www.numpy.org/neps/nep-0001-npy-format.html	0%	Avira URL Cloud	safe
http://121.127.33.39/	0%	Avira URL Cloud	safe
https://www.learnopencv.com/convex-hull-using-opencv-in-python-and-c/cornersQualityOOOO	0%	Avira URL Cloud	safe
https://github.com/opencv/opencv/issues/21326cv::initOpenEXRD:	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://onnx.ai/)	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://caffe.berkeleyvision.org/)	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.scipy.org/not/real/data.txt	staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.megginson.com/SAX/.	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://torch.ch/)	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/opencv/opencv/issues/19634cv::mjpeg::MjpegEncoder::MjpegEncodercv::mjpeg::MotionJ	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://web.archive.org/web/20090514091424/http://brighton-webs.co.uk:80/distributions/rayleigh.asp	apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://121.127.33.39/rkn.log	rundll32.exe, 00000005.00000002.1908626749.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1908626749.000000000295B000.00000004.00000020.00020000.00000000.sdmp, FFbd.dll	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://web.archive.org/web/20170802060935/http://oss.sgi.com/projects/ogl-sample/registry/EXT/textu	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://121.127.33.39/apt66ext.log	rkn.exe, rkn.exe, 0000000A.00000002.1906582152.00000000017A4000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://numpy.org/neps/nep-0032-remove-financial-functions.html	staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2271651715.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251555312.00000295FC8DB000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251499316.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC8DF000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.python.org/library/unittest.html	staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/opencv/opencv/issues/6293	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/opencv/opencv/issues/16739	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/opencv/opencv/issues/16736	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.math.hmc.edu/~benjamin/papers/CombTrig.pdf	staged_out.exe, 00000016.00000002.2272572945.00000295FCE86000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCE86000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/torch/nn/blob/master/doc/module.md	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://refspecs.linuxfoundation.org/elf/gabi4	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.littlecms.com	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://121.127.33.39/apt66ext.logy	rkn.exe, 00000007.00000002.1859848122.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://curl.haxx.se/rfc/cookie_spec.html	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://speleotrove.com/decimal/decarith.html	staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.gdal.org/ogr_formats.html).	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr7	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/numpy/numpy/issues/8577	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2271847177.00000295F4570000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://arxiv.org/abs/1805.10941.	apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://json.org	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/questions/7648200/pip-install-pil-e-tickets-1-no-jpeg-png-support	staged_out.exe, 00000016.00000002.2273799570.00000295FD480000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.tensorflow.org/)	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xml.python.org/entities/fragment-builder/internalz	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://exiv2.org/tags.html)	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://mathworld.wolfram.com/NegativeBinomialDistribution.html	apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/opencv/opencv_contrib/blob/master/modules/text/samples/OCRHMM_transitions_table.x	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.itl.nist.gov/div898/software/dataplot/refman2/auxillar/powpdf.pdf	apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.pygame.org/contribute.html	staged_out.exe, 00000016.00000002.2271754317.00000295F2C30000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2271903544.00000295F47D0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.oasis-open.org/committees/documents.php	staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.pcg-random.org/posts/developing-a-seed_seq-alternative.html	apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/pypa/packagingz	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/opencv/opencv_contrib/issues/2235	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/numpy/numpy/issues/4763	staged_out.exe, 00000016.00000002.2273669702.00000295FD2E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mathworld.wolfram.com/CauchyDistribution.html	apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	false	Avira URL Cloud: safe	unknown
http://www.inf.ufrgs.br/~eslgastal/DomainTransform/).COLOR_SPACE_Lab_D75_2MORPH_CROSSCAP_PROP_DC1394	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.476.5736&rep=rep1&type=pdf	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://graphics.berkeley.edu/papers/Tao-SAN-2012-05/	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zlib.net/D	staged_out.exe, 00000016.00000002.2270219476.0000000062EA2000.00000008.00000001.01000000.0000001D.sdmp, zlib1.dll.20.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	staged_out.exe, 00000016.00000002.2273973720.00000295FD720000.00000004.00001000.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2273941997.00000295FD6D0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://onnx.ai/	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://software.intel.com/openvino-toolkit)	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://caffe.berkeleyvision.org	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://askubuntu.com/questions/697397/python3-is-not-supporting-gtk-module	staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/jaraco/jaraco.functools/issues/5	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2271946338.00000295F4830000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pypi.org/project/numpy-financial.	staged_out.exe, 00000016.00000002.2272538615.00000295FCE02000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2271651715.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251555312.00000295FC8DB000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251499316.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCDF1000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC8DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.numpy.org/neps/nep-0001-npy-format.html	staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mahler:8092/site-updates.py	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://121.127.33.39/	rundll32.exe, 00000003.00000002.2396183226.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2396183226.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861211680.0000000002AEB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1908626749.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1908626749.000000000295B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/opencv/opencv/issues/21326cv::initOpenEXRD:	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.learnopencv.com/convex-hull-using-opencv-in-python-and-c/cornersQualityOOOO	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/asweigart/pygetwindow	staged_out.exe, 00000016.00000002.2274006172.00000295FD770000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pyperclip.readthedocs.io/en/latest/index.html#not-implemented-error	staged_out.exe, 00000016.00000002.2274929166.00000295FDC10000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://121.127.33.39/rkn.logll	rundll32.exe, 00000003.00000002.2396183226.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mouseinfo.readthedocs.io	staged_out.exe, 00000016.00000002.2274929166.00000295FDC10000.00000004.00001000.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cazabon.com	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cs.tut.fi/~foi/GCF-BM3D/BM3D_TIP_2007.pdf	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com/index.html	staged_out.exe, 00000016.00000002.2271651715.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251499316.00000295F2B88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/openvinotoolkit/open_model_zoo/blob/master/models/public/yolo-v2-tiny-tf/yolo-v2-	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tip.tcl.tk/48)	staged_out.exe, 00000016.00000003.2251888617.00000295FD177000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2273421053.00000295FD177000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/3.7/Objects/listsort.txt	staged_out.exe, 00000016.00000003.2251555312.00000295FC8DB000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC8DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pracrand.sourceforge.net/RNG_engines.txt	apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCE86000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCE86000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://121.127.33.39/unity.pdfapt66ext.exehttp://121.127.33.39/apt66ext.logapt66.exemsupdate.exeC	rkn.exe, 00000006.00000002.2395343407.0000000002FC3000.00000002.10000000.00040000.00000000.sdmp, rkn.exe, 00000006.00000002.2395272404.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 00000007.00000002.1859609747.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 00000007.00000002.1859676876.00000000009D3000.00000002.10000000.00040000.00000000.sdmp, rkn.exe, 0000000A.00000002.1906412300.0000000001690000.00000004.00001000.00020000.00000000.sdmp, rkn.exe, 0000000A.00000002.1906499521.00000000016A3000.00000002.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	_decimal.pyd.20.dr	false	URL Reputation: safe	unknown
https://stat.ethz.ch/~stahel/lognormal/bioscience.pdf	apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	false	Avira URL Cloud: safe	unknown
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.131.6394	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/opencv/opencv/issues/21326	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/time-zones/repository/tz-link.html	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2271903544.00000295F47D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.python.org/library/itertools.html#recipes	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ipol.im/pub/algo/bcm_non_local_means_denoising	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://www.openblas.net/	staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://tinyurl.com/y3dm3h86	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2271847177.00000295F4570000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://digitalassets.lib.berkeley.edu/sdtr/ucb/text/34.pdf	staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ipol.im/pub/art/2011/ys-dct/	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://arxiv.org/abs/1704.04503	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://code.google.com/archive/p/casadebender/wikis/Win32IconImagePlugin.wiki	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ipol.im/pub/algo/bcm_non_local_means_denoising/	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nightmare.com/squirl/python-ext/misc/syslog.py	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pcg-random.org/	apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/opencv/opencv/issues/20833.	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.math.sfu.ca/~cbm/aands/page_379.htm	staged_out.exe, 00000016.00000003.2251555312.00000295FC975000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC975000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/assignments/character-sets	staged_out.exe, 00000016.00000000.2242638599.00007FF6DBAD7000.00000002.00000001.01000000.00000009.sdmp, staged_out.exe, 00000016.00000002.2273941997.00000295FD6D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://people.eecs.berkeley.edu/~wkahan/ieee754status/IEEE754.PDF	staged_out.exe, 00000016.00000003.2251555312.00000295FC8DB000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272015625.00000295FC8DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gdal.org/formats_list.html)	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/opencv/opencv/issues/20833DNN/OpenCL:	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mathworld.wolfram.com/GammaDistribution.html	apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF04000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	false	Avira URL Cloud: safe	unknown
https://www.itl.nist.gov/div898/handbook/eda/section3/eda3663.htm	apt66ext.exe, 00000014.00000003.2229701481.000001700514C000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000002.2272572945.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2250204397.00000295FCF06000.00000004.00000020.00020000.00000000.sdmp, staged_out.exe, 00000016.00000003.2251193956.00000295FCEE2000.00000004.00000020.00020000.00000000.sdmp, _generator.pyd.20.dr	false	Avira URL Cloud: safe	unknown
http://www.gdal.org)	apt66ext.exe, 00000014.00000003.2229701481.0000017003200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
121.127.33.39	unknown	Afghanistan		55732	RANATECHNET-AFRANATechnologiesKabulAF	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467959
Start date and time:	2024-07-05 06:58:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FFbd.dll
Detection:	MAL
Classification:	mal100.evad.winDLL@43/179@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 37 Number of non-executed functions: 321
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.8.250, 2.19.126.149, 2.19.126.143, 50.16.47.176, 54.224.241.105, 34.237.241.83, 18.213.11.84, 172.64.41.3, 162.159.61.3, 192.168.2.4, 2.16.241.15, 2.16.241.13, 95.101.148.135, 199.232.210.172, 23.200.0.33
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, identrust.edgesuite.net, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, e4578.dscb.akamaiedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, a1952.dscq.akamai.net, ssl.adobe.com.edgekey.net, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, apps.identrust.com, wu-b-net.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
121.127.33.39	rkn.log.exe	Get hash	malicious	Unknown	Browse	121.127.33.39/apt66ext.log

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RANATECHNET-AFRANATechnologiesKabulAF	msupdate.exe	Get hash	malicious	Unknown	Browse	121.127.33.39
	rkn.log.exe	Get hash	malicious	Unknown	Browse	121.127.33.39
	https://www.pxfuel.com/	Get hash	malicious	Unknown	Browse	121.127.42.98
	https://www.msn.com/en-us/weather/forecast/in-Des-Moines,IA?loc=eyJsIjoiRGVzIE1vaW5lcyIsInIiOiJJQSIsImMiOiJVbml0ZWQgU3RhdGVzIiwiaSI6IlVTIiwidCI6MSwiZyI6ImVuLXVzIiwieCI6Ii05My42MjAzMzg0Mzk5NDE0IiwieSI6IjQxLjU4ODc5MDg5MzU1NDY5In0%3D&weadegreetype=F	Get hash	malicious	Unknown	Browse	121.127.42.98
	https://lanecain-homes.com/	Get hash	malicious	Unknown	Browse	121.127.42.98
	http://belastingdienst-betalingportaal.info	Get hash	malicious	Unknown	Browse	121.127.45.81

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\apt66ext.exe	rkn.log.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\apt66ext[1].log	rkn.log.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imaging.pyd	msupdate.exe	Get hash	malicious	Unknown	Browse
	rkn.log.exe	Get hash	malicious	Unknown	Browse
	apt66ext.log.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe	Get hash	malicious	BazaLoader	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.155390965213848
Encrypted:	false
SSDEEP:	6:BOQI5fEL+q2Pwkn2nKuAl9OmbnIFUt84OQI5fk1Zmw+4OQI5f7GklLVkwOwkn2nC:EQqZvYfHAahFUt81Qqk1/+1Qq7rz5JfC
MD5:	004E654AC6E6160219656BFF4E41AD52
SHA1:	516036679E30EA118A295E3410AD00F4F340A27F
SHA-256:	6180114C4D9103A0235DF9F7F4D3420693368C25E9116C5940C3919181C055AE
SHA-512:	67F86B4CF80B0B5286E88007BA5C98B2228E2947705A31E8F35E4A521AB98B12A6D46045E83148F0BC558A00C40E2E88FB0892E165B1489AF4CDB40CC0206B96
Malicious:	false
Preview:	2024/07/05-00:59:02.020 1c98 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/07/05-00:59:02.022 1c98 Recovering log #3.2024/07/05-00:59:02.023 1c98 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.155390965213848
Encrypted:	false
SSDEEP:	6:BOQI5fEL+q2Pwkn2nKuAl9OmbnIFUt84OQI5fk1Zmw+4OQI5f7GklLVkwOwkn2nC:EQqZvYfHAahFUt81Qqk1/+1Qq7rz5JfC
MD5:	004E654AC6E6160219656BFF4E41AD52
SHA1:	516036679E30EA118A295E3410AD00F4F340A27F
SHA-256:	6180114C4D9103A0235DF9F7F4D3420693368C25E9116C5940C3919181C055AE
SHA-512:	67F86B4CF80B0B5286E88007BA5C98B2228E2947705A31E8F35E4A521AB98B12A6D46045E83148F0BC558A00C40E2E88FB0892E165B1489AF4CDB40CC0206B96
Malicious:	false
Preview:	2024/07/05-00:59:02.020 1c98 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/07/05-00:59:02.022 1c98 Recovering log #3.2024/07/05-00:59:02.023 1c98 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.142448171831532
Encrypted:	false
SSDEEP:	6:BOQI5frzi+q2Pwkn2nKuAl9Ombzo2jMGIFUt84OQI5fpOHZmw+4OQI5fFVkwOwkV:EQqK+vYfHAa8uFUt81Qqpa/+1QqFV5JI
MD5:	37C6EFB91485A84B1ED0EC6E3B5BA781
SHA1:	CDD8A1B25C01A96961C5AE24013E196826E9844E
SHA-256:	33C789612C2D49B888D2AEAC3D9D7DBFA46923864B9D2D70EBAA0902CED98673
SHA-512:	D98B8DEB5EEE19E94196EF9B3BB326DB7BF3207AFA57BE24FD8D6FD34668352560C7513B5575829728F304B1888194CB2F15C6AE1C7EAA2F1E8034429FF4476E
Malicious:	false
Preview:	2024/07/05-00:59:02.101 1d9c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/07/05-00:59:02.103 1d9c Recovering log #3.2024/07/05-00:59:02.104 1d9c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.142448171831532
Encrypted:	false
SSDEEP:	6:BOQI5frzi+q2Pwkn2nKuAl9Ombzo2jMGIFUt84OQI5fpOHZmw+4OQI5fFVkwOwkV:EQqK+vYfHAa8uFUt81Qqpa/+1QqFV5JI
MD5:	37C6EFB91485A84B1ED0EC6E3B5BA781
SHA1:	CDD8A1B25C01A96961C5AE24013E196826E9844E
SHA-256:	33C789612C2D49B888D2AEAC3D9D7DBFA46923864B9D2D70EBAA0902CED98673
SHA-512:	D98B8DEB5EEE19E94196EF9B3BB326DB7BF3207AFA57BE24FD8D6FD34668352560C7513B5575829728F304B1888194CB2F15C6AE1C7EAA2F1E8034429FF4476E
Malicious:	false
Preview:	2024/07/05-00:59:02.101 1d9c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/07/05-00:59:02.103 1d9c Recovering log #3.2024/07/05-00:59:02.104 1d9c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.971927614950059
Encrypted:	false
SSDEEP:	12:YH/um3RA8squHWsBdOg2H0fcaq3QYiubInP7E4T3y:Y2sRdsFbdMH0u3QYhbG7nby
MD5:	1AE672EA76A43EB2A5A34AD3DDF619E0
SHA1:	237C26DF6089E54F129E1BF2B3A63173B0F1476C
SHA-256:	5772E2194FEE3852963D7F9D473B438433BF93BC318DBD17B22E8E736B732EDD
SHA-512:	0F0B3B73B08826267D1B3E2965B9621643AF0AB035B8C15A515ABD7D14C13CE3CE1EDE32522AB856D1676C4F4982782B225600961F35D3AD1DBE3E57A2454DE2
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13364715547926055","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":174888},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\aa3dba9b-6806-4db1-a646-aadb714730fc.tmp

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.971927614950059
Encrypted:	false
SSDEEP:	12:YH/um3RA8squHWsBdOg2H0fcaq3QYiubInP7E4T3y:Y2sRdsFbdMH0u3QYhbG7nby
MD5:	1AE672EA76A43EB2A5A34AD3DDF619E0
SHA1:	237C26DF6089E54F129E1BF2B3A63173B0F1476C
SHA-256:	5772E2194FEE3852963D7F9D473B438433BF93BC318DBD17B22E8E736B732EDD
SHA-512:	0F0B3B73B08826267D1B3E2965B9621643AF0AB035B8C15A515ABD7D14C13CE3CE1EDE32522AB856D1676C4F4982782B225600961F35D3AD1DBE3E57A2454DE2
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13364715547926055","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":174888},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4320
Entropy (8bit):	5.254953196643728
Encrypted:	false
SSDEEP:	96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7nUm2oht:etJCV4FiN/jTN/2r8Mta02fEhgO73god
MD5:	82CFA8F0A789B1632A1D889879A8BBA0
SHA1:	C78B14FF0980E649D6815C77FDBDACEEE4D3E7B8
SHA-256:	91A5CCDAF4F03083A9EEED8E1439C4762214A6849375A32A8546807B5177DF59
SHA-512:	1A00B923049D0A235BBC38DAB8634633724B686DD726D4EADBB740AB8184C24EC0F0E9B72A67B7BB2E58320D20259C2AA3B65B9F675B60A16919E3EC29608930
Malicious:	false
Preview:	*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..\|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.176949015097469
Encrypted:	false
SSDEEP:	6:BOQI5fp+q2Pwkn2nKuAl9OmbzNMxIFUt84OQI5fsZmw+4OQI5fgqGFNVkwOwkn2v:EQqp+vYfHAa8jFUt81Qqs/+1QqgqGFNV
MD5:	C84655BF243B159D8620B8739584912E
SHA1:	A780C9F7CC6E61579A7E7DDE3766BA71F210C217
SHA-256:	69AF425C668D2133D2B811666CD1C6CE596E3AE72AB1A209BC126A1703681DAB
SHA-512:	177170B8CF21684FDDEAEC7339C93695D1F8E22408BA0D7480A5960DF386C617C245F5BDF7C8CE13E3816750095B6FD6D6AF3A3C35D8312D39725B6EBB48CCC9
Malicious:	false
Preview:	2024/07/05-00:59:02.276 1d9c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/07/05-00:59:02.279 1d9c Recovering log #3.2024/07/05-00:59:02.280 1d9c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.176949015097469
Encrypted:	false
SSDEEP:	6:BOQI5fp+q2Pwkn2nKuAl9OmbzNMxIFUt84OQI5fsZmw+4OQI5fgqGFNVkwOwkn2v:EQqp+vYfHAa8jFUt81Qqs/+1QqgqGFNV
MD5:	C84655BF243B159D8620B8739584912E
SHA1:	A780C9F7CC6E61579A7E7DDE3766BA71F210C217
SHA-256:	69AF425C668D2133D2B811666CD1C6CE596E3AE72AB1A209BC126A1703681DAB
SHA-512:	177170B8CF21684FDDEAEC7339C93695D1F8E22408BA0D7480A5960DF386C617C245F5BDF7C8CE13E3816750095B6FD6D6AF3A3C35D8312D39725B6EBB48CCC9
Malicious:	false
Preview:	2024/07/05-00:59:02.276 1d9c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/07/05-00:59:02.279 1d9c Recovering log #3.2024/07/05-00:59:02.280 1d9c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 17, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 17
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.44495848013032
Encrypted:	false
SSDEEP:	384:SeGci5tBiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:CSs3OazzU89UTTgUL
MD5:	AC2F86185CFE1C2E57662F4D7979EBF3
SHA1:	D2FEB81EA6C3E6224F88696B5143EFA144436C68
SHA-256:	AFB3A3B8B552F07A7B5DBCB46CA00EF4F3207CACA205EDA1FD0F4CAA6B9BE011
SHA-512:	E988CABEE462E5E966887921E035F5D53606FA391B02383ED5B7F570419CAF762048D5DDBC503401C9785783C9AFC8470C21191EA88382478247B4EDA04137E7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	2.2133574840993733
Encrypted:	false
SSDEEP:	24:7+tHpSnuwK52vqLrzkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wm2:7MgnC5WqvmFTIF3XmHjBoGGR+jMz+LhG
MD5:	C1E2CB27F144EE475FDBC8CC24F59DF0
SHA1:	A9D67064F0387D41F9B89951341E45C671FCDAF3
SHA-256:	C5F9B98E0A796CE52F6B664F61C19EFF0D73803A1A8C6B51FE61D0B45015B6C3
SHA-512:	25EA3646C91FDB277393162077032B79874E2F4AD168ABC6D0D659E7AF9406E428084E6E7795B37D4C783196C3AA942A01578590C820AE82AE7C2DD6104B7C25
Malicious:	false
Preview:	.... .c.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2352707042963518
Encrypted:	false
SSDEEP:	6:kKO9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:pDImsLNkPlE99SNxAhUe/3
MD5:	30453EC573B9EC5EED632343B526996C
SHA1:	A38BDB4FAD8090078EC802040FBEB3A6A3255337
SHA-256:	296C93DD7B0EFA0871122C5C2F17B0763F0F49B142F028BD2EC63315050D2B9F
SHA-512:	EF5B5E9DB4DA8C5928C424D39F8150871C9EF0447B153E6CF5B94D03E0E241C22FEB397C4026F3C4BA21C29E76ADF42743CCD2B272D1C13D0B66DBA062FDFCD3
Malicious:	false
Preview:	p...... ........;o......(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.026467887142631
Encrypted:	false
SSDEEP:	3:kkFkl2rklfllXlE/E/KRkzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB8V7lnka:kKsxliBAIdQZV7I7kc3
MD5:	86DB6258FFEC2D1F7377F2FB96168FDE
SHA1:	28478BA7CCB2E9DAEBC7EB77F796604334457307
SHA-256:	15CE1DA835F1C3B2DE98ABAA68A5AB67D324CB3C2DB2D8352A4258ADCB5F2A6B
SHA-512:	F3B6E24449E23897481888F26339EE05FF0EC73EEE503DADA5E07468676E8248FC8806E859DF549A9E52A15E85539DA4F2251D3644A94E0F773D8C26775D3C96
Malicious:	false
Preview:	p...... ....`...j=m.....(....................................................... ........!.M........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.6.0.7.9.b.8.c.0.9.2.9.c.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7176

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	185099
Entropy (8bit):	5.182478651346149
Encrypted:	false
SSDEEP:	1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
MD5:	94185C5850C26B3C6FC24ABC385CDA58
SHA1:	42F042285037B0C35BC4226D387F88C770AB5CAA
SHA-256:	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
SHA-512:	652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.372984335383831
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJM3g98kUwPeUkwRe9:YvXKXFcDEZc0vLGMbLUkee9
MD5:	3142784850E79384145C02A306DFE710
SHA1:	18AAD1637E7AF2196A1D2BF23507EE39083F47B5
SHA-256:	CD73B360A018AF8EAEE0CE0929A2C38A4033CE00C09AABB4C14861C69449506E
SHA-512:	F3BBCCDA26C45447269BF2B106FA2A9B4AE0BBA7BE37DD9AF9F14621116180266552FC4AE4A90DF992ABAB5FBAD66D8BA462F99DBF8F533781EACA9B15390CB1
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.3204122915699745
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJfBoTfXpnrPeUkwRe9:YvXKXFcDEZc0vLGWTfXcUkee9
MD5:	10249C7585BEDAA423AE3404D1EAE588
SHA1:	72ED88142D45927CDB4D417B9F538C0749B87382
SHA-256:	63C764A9E45AAB48C1EC6D257AC27A78E72ED16D7A0DEEE498FD21716D99DAAC
SHA-512:	C168EFA219FE1059F5B9174FCA29E2D3FCFBE96F0E433E78F4959C5F90CC4DDFE041B9CBF3702BCD7E669D5E902FC8EA4A083E5F7B1EA3871AE5DB50F006888C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.300430008386334
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJfBD2G6UpnrPeUkwRe9:YvXKXFcDEZc0vLGR22cUkee9
MD5:	E6A66E770A5C7E67BF480BABEF4567BC
SHA1:	C3C004DFB37FEC84093C4F7871BCE705A943BBDC
SHA-256:	F510322148542289FCA0EAD6F6C284AAC60890CB16A20F45E5D157773AF79DAA
SHA-512:	9DB97275F351306EA4B4229EB3AAE597C50A39DCEED58AE6F9B1106F5075BD55FF332B36CBD223BF2AA2FE3B484A7C6E1EACA867641BB855E188AC1B0981FA94
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.3603324187392225
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJfPmwrPeUkwRe9:YvXKXFcDEZc0vLGH56Ukee9
MD5:	8E3B629DB037942F2022D952F5D0E959
SHA1:	D9A864A7B4931E4418455A0411CCC24465F3E2E7
SHA-256:	C84A80BCCC6FB654FD9020B1B7D3B6E91184542C67CB79283181ABD3915A5D42
SHA-512:	27C97DCD7DD862A3C8B8BC7FC36104F8047E505ECDE0F4BF7CA46D381E386417875ED1EA53B827CC54531D9B12B092FC04303910BED07DF9EA16B15CAD103856
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.314801710940621
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJfJWCtMdPeUkwRe9:YvXKXFcDEZc0vLGBS8Ukee9
MD5:	9EEB9DAC1AEBE6C6459592CAF71580F3
SHA1:	5347F4C1E271F20A6A26FA2AC72EE03D906AED1D
SHA-256:	CBB118BBCAC304EE90481ABE1C1BB56532846ADB563DE8AA125C65E775E58795
SHA-512:	EBB5984D5CCA90E38EF9F3B27B6DC26A99799F5793933F0EF360C38A75EB22F5387AED21944444C5B5BF38DB0ABA124F18D1A587FA6C784121B1C3176F136FD1
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.303334171197813
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJf8dPeUkwRe9:YvXKXFcDEZc0vLGU8Ukee9
MD5:	0AFA4215DF3D0A2952DC4D9AE7E3EA6D
SHA1:	FFAD7F6450D43513184B422B66DF7A1F76FFEC48
SHA-256:	0900530B65B01BE5019A4698C256A987FF957AC17AC3C54BB29AF3B3FACC6048
SHA-512:	5679C5BBC8E75B99EDA03CBF64DC6F6E62462DF36BF16D0F324608B17688B1C41F6DE10B9EC73513C697195D44B615B299D5058DCD380CC289B9551270A1EB64
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.306665765961851
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJfQ1rPeUkwRe9:YvXKXFcDEZc0vLGY16Ukee9
MD5:	45B3E2BC0FDF572F49CEEDA4BC4129E5
SHA1:	03F4489D1F9976C8C8458D7B3479D5DB17F08B67
SHA-256:	087E335C95B8C2CDC27A23B1ACD16E5EF67CA9FC921B55313AB2F20CA1385326
SHA-512:	4471908044F43BD4555B9489429F64EDF26F51D2E338032AB90F1084B9CA4BA5E9799F32C89C43E624F7711711AAC1A98F231C5C4065306BE0F3AA7FA67778CD
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.310029909722827
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJfFldPeUkwRe9:YvXKXFcDEZc0vLGz8Ukee9
MD5:	D57CB024B8EFA550B519D6C4A52ACB6F
SHA1:	3FC782BCCE8D2B9CFC47C593106A207F669D8976
SHA-256:	BA019D8E20C49851E2D2CD80CA2B10E5A89C779396436C72883CAAE9A8896538
SHA-512:	97D2BC50F13FCF6B2840D229A55A3D3E88AB675FF7C7C1D0A1D939E883F085B348310FCF687FFD0B5D06BA098D3728E149870753BCEAECFE9A6985D50FF6113C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	5.737327632455175
Encrypted:	false
SSDEEP:	24:Yv6XJzvTKLgENRcbrZbq00iCCBrwJo++ns8ct4mFJNLm:Yv67EgigrNt0wSJn+ns8cvFJtm
MD5:	8D5E05B9F87BE2EF7A03C5AFDB4536F0
SHA1:	1836366437DC1072E9C48005CF9AB85C1E3E6BA4
SHA-256:	8AA90CA73E1DCB55804F32DE83FFB82A2141E02E1E464AC062374B57B44BF3B8
SHA-512:	3CD6F54803EAD8CDE433DBDAFA795635386501CE295A27DE144598641E5BFC7A8832F53D763C2CE22513C646F998524964A764891B01BB626520C27DA51D1919
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Home_LHP_Trial_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"79887_247329ActionBlock_0","campaignId":79887,"containerId":"1","controlGroupId":"","treatmentId":"acc56846-d570-4500-a26e-7f8cf2b4acad","variationId":"247329"},"containerId":1,"containerLabel":"JSON for DC_Reader_Home_LHP_Trial_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJUcnkgQWNyb2JhdCBQcm8ifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNSIsImZvbnRfc3R5bGUiOiIwIn0sImRlc2NyaXB0aW9uX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTMiLCJmb250X3N0eWxlIjoiLTEifSwidGl0bGUiOiJGcmVlIDctZGF5IHRyaWFsIiwiZGVzY3JpcHRpb24iOiJHZXQgdW5saW1pdGVkIGFjY2VzcyB0byBwcmVtaXVtIFBERiBhbmQgZS1zaWduaW5nIHRvb2xzLiIsImJ

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.308028660857948
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJfYdPeUkwRe9:YvXKXFcDEZc0vLGg8Ukee9
MD5:	B869F77B49E03062C26123D98B702F1B
SHA1:	A81AFBBB0586CD0DC019758E038E13FA7D2CEFBD
SHA-256:	0697BB0DD78E8124E893A465627737A3D69E436A09D1469943E833040C909533
SHA-512:	7747502563ACA237EF66A15380D13135EB937AFF6C76B26D51414315BEC1AB27BB0D0400286780B869FCDB26C35939C3B810FFC51E1843ABC86D3FA41160A94E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1395
Entropy (8bit):	5.776479827339686
Encrypted:	false
SSDEEP:	24:Yv6XJzvurLgEGOc93W2JeFmaR7CQzttgBcu141CjrWpHfRzVCV9FJNDm:Yv6mHgDv3W2aYQfgB5OUupHrQ9FJ5m
MD5:	2070A6E859F9DBDD7F124DEC8F11DCC4
SHA1:	611B16F2CD30B1234EC2E27DA9E4EA4162BF0E56
SHA-256:	28A964BA026B9F373D1A0F0B0C8714649DBE451ED5B17B931E49782802F17066
SHA-512:	BB0E2FD8A8490026F34B62946305AF4F46D3B1B2E337D994BC5AD9B063E796A6FBE0821254ED89DC5E9D311B8022C780E5A59312ECCC91BA3EAE41D0FAFA630A
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_RHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"57802_176003ActionBlock_0","campaignId":57802,"containerId":"1","controlGroupId":"","treatmentId":"d0374f2d-08b2-49b9-9500-3392758c9e2e","variationId":"176003"},"containerId":1,"containerLabel":"JSON for Reader DC RHP Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctRGF5IFRyaWFsIiwiZ29fdXJsIjoiaHR0cHM6Ly9hY3JvYmF0LmFkb2JlLmNvbS9wcm94eS9wcmljaW5nL3VzL2VuL3NpZ24tZnJlZS10cmlhbC5odG1sP3RyYWNraW5naWQ9UEMxUFFMUVQmbXY9aW4tcHJvZHVjdCZtdjI9cmVhZGVyIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEyIiwiZm9udF9zdHlsZSI6IjMifSwidGl0

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.291520578732101
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJfbPtdPeUkwRe9:YvXKXFcDEZc0vLGDV8Ukee9
MD5:	CFA3B69F3B0E45DC1A3CDBAEE81CFE40
SHA1:	959CB2D21E943330E6F6604B809375A5839698DE
SHA-256:	5BD79CD867737C8F0D9B5978ED674883209D3DA449AACFB2196B00C73EAB16DF
SHA-512:	A04630FE49E823E13D5ED351290F1767A0D788372DC1208AC0A70BAFE12CFC0C3B111A853194FAC6554D929D2FA8528D4D08CCA3DF67D7D494FCFBAA764F3716
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.296283160024189
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJf21rPeUkwRe9:YvXKXFcDEZc0vLG+16Ukee9
MD5:	E734F4054D76002A36E57FEBCE22E5F1
SHA1:	F41F7C5BAF70879E2930DEDCBF0A76390EC65FFC
SHA-256:	57A9F0B08580EE4B7F40A63336DC8BF122D306434C1CEB45B1C9C3BCE354A77A
SHA-512:	49DD04C709B3294642E9C48A67866E8E332525F8F5C92D7C81D6D1365405737C751BD776E427C60EB1AEAEF2D34E297E488E8651889CEED9D5F1F1691E4B3080
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.315404126701263
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJfbpatdPeUkwRe9:YvXKXFcDEZc0vLGVat8Ukee9
MD5:	673250320CB32D60453D33B23F9A0449
SHA1:	5797D97585412AB12404C9CDBB687975D4E3755C
SHA-256:	76EE03B298A1046B4F2D106033881F5C3A6FB07F142E4D57650372505008F156
SHA-512:	7A15DCAA9DBD9E94B36EA130500BB48A9EB21429AD52F709B80ED5C4C19D7D9A770E9DDAFF7D97C578BC2170B6B109588AD1E6B801A82613D8C658AAB64F1A81
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.270931013038354
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFcRtvH9VoZcg1vRcR0YO4xoAvJfshHHrPeUkwRe9:YvXKXFcDEZc0vLGUUUkee9
MD5:	0EA5CD5379B0710FFA2105EE1B18A437
SHA1:	91733FE74FC0001DF5D934E596492794A868D7C8
SHA-256:	7D83E6616FF4E97B9B92EF0E12B603A7472C00C7D741F11ED4E388612EA53A86
SHA-512:	3F42142C02037009C8F104A8890267E8868F6F621895F45E5DAA485EC94B30D723636A434B41843021DE696CEF536D1E0C1CA40615301D14CBB7E31BB1B2C75F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	782
Entropy (8bit):	5.371311468649461
Encrypted:	false
SSDEEP:	12:YvXKXFcDEZc0vLGTq16Ukee1+3CEJ1KXd15kcyKMQo7P70c0WM6ZB/uhWHm:Yv6XJzvr168CgEXX5kcIfANhom
MD5:	8230CA14E5F4D4B36B7F650C21593666
SHA1:	272E140F555A565D32BCCF9116FBA976FFF1038B
SHA-256:	2FC114140DD1064A6568D86126E1B27C497D5CEC0F1205C93E4EBB505EABC870
SHA-512:	2DF82DD0E3E71538D9C1E78484CF7735BA3F0CE06538C4FED6492A9BF13D1FC6ED2B85F287E690404F9A01AB29047EED24C46A5CBAB1351D1B8D8F3E1CB22977
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"29fd6d38-4e3e-4e91-b1e9-27f0a29bda2d","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1720334528838,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"Edit_InApp_Aug2020"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"20360_57769ActionBlock_0","campaignId":20360,"containerId":"1","controlGroupId":"","treatmentId":"3c07988a-9c54-409d-9d06-53885c9f21ec","variationId":"57769"},"containerId":1,"containerLabel":"JSON for switching in-app test","content":{"data":"eyJ1cHNlbGxleHBlcmltZW50Ijp7InRlc3RpZCI6IjEiLCJjb2hvcnQiOiJicm93c2VyIn19","dataType":"application\/json","encodingScheme":true},"endDTS":1735804679000,"startDTS":1720155548867}}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.131610290632152
Encrypted:	false
SSDEEP:	24:Y87MC0WsPEPXClXqgp2nXnaaayXlSJzwXBiNecjD2cj0SMStF/b/2yeN62LSM8Ub:YleZS4gp/fDZFTuEvIkl9sDAc
MD5:	C559B23D3CB56D1C48FE5A4D732AB2EB
SHA1:	A27E249D395F3F217F7DB4CB210B64A04D2618A1
SHA-256:	D416352C03EF11AFBD7DCD9E6F4E6E1E2FA1587406D75F3ACE754A421EAA05DB
SHA-512:	7096577D556B09177052893FE3C111A5FF494179F51CCDF78571E67EECD87A22D064F0BC435635E19DE0E293BEC54221A450D8D06582CB1E57F4DABE6558FBCD
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"461d2726e6940e22447ba47a7bf767df","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":1372,"ts":1720155548000},{"id":"Edit_InApp_Aug2020","info":{"dg":"b9ed2018e8e01be71e1c36fb46ec9040","sid":"Edit_InApp_Aug2020"},"mimeType":"file","size":782,"ts":1720155548000},{"id":"DC_Reader_RHP_Banner","info":{"dg":"d2db5be6b4a86ca0f650f931651c52b8","sid":"DC_Reader_RHP_Banner"},"mimeType":"file","size":1395,"ts":1720155548000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"1c0d08232d22e8db6b06d864353ab068","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1720155548000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"90e3b612a7c5db9952b294502409e647","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1720155548000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"0adc67805cf0817ce457c70d2210f43d","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","size":289,"ts":1720155548000},

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.1886684847601907
Encrypted:	false
SSDEEP:	48:TGufl2GL7msEHUUUUUUUUiSvR9H9vxFGiDIAEkGVvpo:lNVmswUUUUUUUUi+FGSItE
MD5:	C19AEFD6C06686B9653702B31D78FA1F
SHA1:	8C0F6AD6AD4CAAB785D13732CBB17EDA961724E8
SHA-256:	D5F66C6A6D952B378C2118090238EEBB3FE43618B979D79AD488AC63DBF3EA25
SHA-512:	78EAB020D3FB052BECE8D526E636997B84397240ABB367EBE710BB3ACC953C94F113AC0888D388C535C75DC73044D3A34F191C368FC7E13EBA9443D6CE76C435
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.6086172159693235
Encrypted:	false
SSDEEP:	48:7MlqKUUUUUUUUUUwvR9H9vxFGiDIAEkGVvXqFl2GL7msk:7wxUUUUUUUUUUIFGSItFKVmsk
MD5:	94F144ED24DE59053D1471A9BE27F0D0
SHA1:	71FB7D9DE4B27284631737C2EDDBC883801E1CEB
SHA-256:	69058A30D879665613D5672EFEE9B6537465488EE2889F61D58507402C457622
SHA-512:	4BBDC4C17A9A0A7F8FEFE14C3A09481043F862BC390EADA7487CCB19F56E09760DF14AA0E0BE020EA4048F3F70A0CF14C65F481150FB3AB182289173DA9D9973
Malicious:	false
Preview:	.... .c.......ZI......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rkn[1].log

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47104
Entropy (8bit):	6.948416585892318
Encrypted:	false
SSDEEP:	768:iq6bYI7ev0DeJpFgjzjW8SGJVnxsJ/cS7iKGztVuanh8w2OfJ7ejaP6yEqzeGO0I:iXbWv04jgXjW8PHccS7i9u6yeNejY6ys
MD5:	4B683807246FC18189D63DD9A4E9429F
SHA1:	1DED192558723EBE1DE20B099343DA06D6A215C5
SHA-256:	BA77B5949CA2198459C7F2F260C1B57AF93F4B3466F8278BFCAB114C9E0B2D79
SHA-512:	7B177DE3ADB54FE049E5A4D927957008F4829A46FC6C8206657F5BC6435F079A6E47FD3FFCCFD03D6F40F125855659B3380E9C33C1EDA0E7E5D14180CA761377
Malicious:	true
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rkn[1].log, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..S,.x.,.x.,.x.%...&.x.~.}.?.x.~.\|. .x.~.{.-.x.~.y.(.x.g.y.).x.,.y...x...q.-.x.....-.x...z.-.x.Rich,.x.................PE..L...m]nf..................................... ....@.......................................@..................................%..................................p...,!..p............................!..@............ ...............................text...)........................... ..`.rdata..t.... ......................@..@.data.......0....... ..............@....rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\unity[1].pdf

Process:	C:\Users\user\AppData\Local\Temp\rkn.exe
File Type:	PDF document, version 1.7, 4 pages
Category:	dropped
Size (bytes):	86196
Entropy (8bit):	7.87858938350625
Encrypted:	false
SSDEEP:	1536:hBhksShBntb0liRZmRKIQh13cqT+Mve6US2c6fGJ76c3oW9CMJ6yd:lk1N9bRZmRDQuUPe6US2c6No9CM3
MD5:	CC4676EF08E8AECBE22B9232F27B2141
SHA1:	03BB3A2CB2C8A5CF7B93CF7C666C470144CFD724
SHA-256:	48331EA4E205E07525F47149D19C8F78DBA24EE63147A74F7D0A443008E4587D
SHA-512:	A27DAEF2DB426114F9B45F9EAD7C0CF5E6C84389570E51C749C9CE9BAD8AB6D2C866C54A291FA5A6D83AB7B476A00E9AD4729C92ED53B5371AF7E2382CCBEC96
Malicious:	false
Preview:	%PDF-1.7.%.....2 0 obj.<</Length 3 0 R/Filter/FlateDecode>>.stream.x..XK..G...(.-..R.....n.....B...6.8f..I.}$..3.x.Nou=.O.>.Fv .><<..~...W1.;........m....@.......?.?...zx.}.....$.0.....^>.......cb.t...a...8.... ...H+.}/.....2J'..s....<..p...FN ....c..4....O..\|x..:?.........o1....b........b..h........G5>..I.....M.9..H.....34.<..#..qV.=.V.\|..y.....q&8\|.<.ox..q<..Az.7.....g}...F...a.H.....b:..C..t.......;.Y....D..o...........F..q.'..#.h....A...$rH2..(.V......1.ML4....0......-.>+.S`....e.zC~.ls.1..>A..F@...3..,D.+...b.xo...Ekh.e.oca.XxL..~.8.=.[...(3fQ........^[..M.\.T%;}!..$.,..{.......@.<E2G...g{.y.g..J^y[DEq./\|..)....ce..... .............q.m...L..{..X.A3VA^.....`m...=..I"#s..e.%5. .8k..XOJh...]"Tr.d.-s.s..3.6>.....s.B..a.8-.6....~....21.j...."A.....Vz;.j....a.&..L.......x...dd..T......9..e.\.....oZ..DaS./..lN2jE......p......2....s.`3........A_k.U.fN.....Y9..~...b.4...:..N..K..R.t.2.S ..Q..M....E.J!.YN.[.o.tN.f=....r...w..ud...Iq..j;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\apt66ext[1].log

Process:	C:\Users\user\AppData\Local\Temp\rkn.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55675088
Entropy (8bit):	7.998533737468859
Encrypted:	true
SSDEEP:	1572864:bVxMP+5vwyPlqv4QvVWKZeIw3UzwKxy27PXHB:bVCCwy9uVPw3U0KxyAPXh
MD5:	494A19DC7E5EAA0E516ECE245D2661DE
SHA1:	37E1A6A7B9C2F85D563BFA44AABCABC26FD00FB5
SHA-256:	7FF47DCE0AD262F4C0818170213A2A5C97B098258F5B2E85B3DF5A48EED05183
SHA-512:	180FDB170B68399C563C1DE6C290A9B365F32C484FF53E16D4EDBF967CD4FA9D8D50B45AB87AFD6F1E9B670240D640DA683A7E3E657ED22BD648D385624EC06A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Joe Sandbox View:	Filename: rkn.log.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..x..x..x..3...~..3......3...r..m.x.y..m...P..m...h..m...q..3......x.....NY..y..NY..y..Richx..................PE..d.....mf.........."....%......................@.............................@............`.....................................................P.... ..P....................0.........................................@............................................text............................... ..`.rdata..............................@..@.data... ...........................@....pdata..............................@..@_RDATA..\...........................@..@.rsrc...P.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\unity[1].pdf

Process:	C:\Users\user\AppData\Local\Temp\rkn.exe
File Type:	PDF document, version 1.7, 4 pages
Category:	dropped
Size (bytes):	86196
Entropy (8bit):	7.87858938350625
Encrypted:	false
SSDEEP:	1536:hBhksShBntb0liRZmRKIQh13cqT+Mve6US2c6fGJ76c3oW9CMJ6yd:lk1N9bRZmRDQuUPe6US2c6No9CM3
MD5:	CC4676EF08E8AECBE22B9232F27B2141
SHA1:	03BB3A2CB2C8A5CF7B93CF7C666C470144CFD724
SHA-256:	48331EA4E205E07525F47149D19C8F78DBA24EE63147A74F7D0A443008E4587D
SHA-512:	A27DAEF2DB426114F9B45F9EAD7C0CF5E6C84389570E51C749C9CE9BAD8AB6D2C866C54A291FA5A6D83AB7B476A00E9AD4729C92ED53B5371AF7E2382CCBEC96
Malicious:	false
Preview:	%PDF-1.7.%.....2 0 obj.<</Length 3 0 R/Filter/FlateDecode>>.stream.x..XK..G...(.-..R.....n.....B...6.8f..I.}$..3.x.Nou=.O.>.Fv .><<..~...W1.;........m....@.......?.?...zx.}.....$.0.....^>.......cb.t...a...8.... ...H+.}/.....2J'..s....<..p...FN ....c..4....O..\|x..:?.........o1....b........b..h........G5>..I.....M.9..H.....34.<..#..qV.=.V.\|..y.....q&8\|.<.ox..q<..Az.7.....g}...F...a.H.....b:..C..t.......;.Y....D..o...........F..q.'..#.h....A...$rH2..(.V......1.ML4....0......-.>+.S`....e.zC~.ls.1..>A..F@...3..,D.+...b.xo...Ekh.e.oca.XxL..~.8.=.[...(3fQ........^[..M.\.T%;}!..$.,..{.......@.<E2G...g{.y.g..J^y[DEq./\|..)....ce..... .............q.m...L..{..X.A3VA^.....`m...=..I"#s..e.%5. .8k..XOJh...]"Tr.d.-s.s..3.6>.....s.B..a.8-.6....~....21.j...."A.....Vz;.j....a.&..L.......x...dd..T......9..e.\.....oZ..DaS./..lN2jE......p......2....s.`3........A_k.U.fN.....Y9..~...b.4...:..N..K..R.t.2.S ..Q..M....E.J!.YN.[.o.tN.f=....r...w..ud...Iq..j;

C:\Users\user\AppData\Local\Temp\MSIe7409.LOG

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.5136057226030957
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8wAKYlYH:Qw946cPbiOxDlbYnuRKWKYlYH
MD5:	A01D79909AA85BD06D6F16A82C92EE31
SHA1:	CEBFD2F77E98F920DD005630933D1B9C71904986
SHA-256:	DCF7B8F86A2EE9ECA9020B761D235908439A1B78DBB34C51CA71F73ADE23B757
SHA-512:	FE73F55FD44998ED909CF497A6EC6FF3BF4721E7F974F2394F32BFE7B0CE7AF0A5E57866293E4188DE26186459B6943E656A68C22CE2C9EAFB919EE386C1CD85
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.5./.0.7./.2.0.2.4. . .0.0.:.5.9.:.1.0. .=.=.=.....

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A91r2pgc7_hlmxc_5jc.tmp

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
Category:	dropped
Size (bytes):	127214
Entropy (8bit):	7.992938944970855
Encrypted:	true
SSDEEP:	3072:uswQeDPMQviqN8xfRmKMPcSnWlG1SS7Zqc6DOR44IxtUsi5:uswtPMMrSx+0SWlG1SSO6cYsi
MD5:	997CE5ED3633E8FF84C2F7D1F0E48E53
SHA1:	D22617BDF6D8DCE13E5FCBE9BDD57A812EE1E237
SHA-256:	E06C221FB5B43F5A25220D326EB501573C2E0CC9FBB31007BF79054B6F613907
SHA-512:	CE187CD9CE4CAC28B91CD0B090A70B15E28BC59BE0CC2A1E58F4257ACBAD5C05B40D7E1ECC8F16B626BC51AFE6817E524A4326F09C3FBA85637285EA1F3291D8
Malicious:	false
Preview:	PK........,C.X...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........>.X..lz............message.xml.]Ys..~...r..S.c...-.K....v.Y.KEK...E.H.......Z(...V.N.... ..p.s....(...$...o..=:.D..A.....w.....#....8..4;nGq.<.}?.>.#?.........,.Bq..G..v08....G.=.i.....~..Q.......4.....h...`............Z... ..~(.X.g.>..;8=...7.x.G.....v.{..^.y}s...#u+.. ...s.$.2.._t...Gyuz....x...&gO..8..$.hp#.W.@..V...x.OW.c.........."S.x...>.Y....L..1..I<..vL.{$......#.i...7X\l....S..^..?.)..9tX..V.=.3qL.a...b.Bv.....X\|..O. y.5u.19...d..}{..q.d..p}......)..l..r.fk..<..v..(..o......-.f_....h..e ......Z....K.;Ka..cB<....:..x.(...v{(..!@.Z...Bg.n.<..PD.".+..0.A..5.Y...x....9.]..........d.2.h......<.j........~.+.g...8r.....].lS.9..RX@.;..........9.....8.A.......?tq....&....0..t..]...aW.....<.....Ka.=XO..C........~.F3.+.b..Y.\.,..Cq6.n..8..b`..b..{.8.......2o.S.J3U.bx;S..L..Y..L.v..LU.g....%..0U.....\...P>...Q..e..p0#yKN.H.Br..Nh r..D..?..Vuh..q)o.D.]#h.M.A

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A91ydadj9_hlmxb_5jc.tmp

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
Category:	dropped
Size (bytes):	127214
Entropy (8bit):	7.992938944970855
Encrypted:	true
SSDEEP:	3072:uswQeDPMQviqN8xfRmKMPcSnWlG1SS7Zqc6DOR44IxtUsi5:uswtPMMrSx+0SWlG1SSO6cYsi
MD5:	997CE5ED3633E8FF84C2F7D1F0E48E53
SHA1:	D22617BDF6D8DCE13E5FCBE9BDD57A812EE1E237
SHA-256:	E06C221FB5B43F5A25220D326EB501573C2E0CC9FBB31007BF79054B6F613907
SHA-512:	CE187CD9CE4CAC28B91CD0B090A70B15E28BC59BE0CC2A1E58F4257ACBAD5C05B40D7E1ECC8F16B626BC51AFE6817E524A4326F09C3FBA85637285EA1F3291D8
Malicious:	false
Preview:	PK........,C.X...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........>.X..lz............message.xml.]Ys..~...r..S.c...-.K....v.Y.KEK...E.H.......Z(...V.N.... ..p.s....(...$...o..=:.D..A.....w.....#....8..4;nGq.<.}?.>.#?.........,.Bq..G..v08....G.=.i.....~..Q.......4.....h...`............Z... ..~(.X.g.>..;8=...7.x.G.....v.{..^.y}s...#u+.. ...s.$.2.._t...Gyuz....x...&gO..8..$.hp#.W.@..V...x.OW.c.........."S.x...>.Y....L..1..I<..vL.{$......#.i...7X\l....S..^..?.)..9tX..V.=.3qL.a...b.Bv.....X\|..O. y.5u.19...d..}{..q.d..p}......)..l..r.fk..<..v..(..o......-.f_....h..e ......Z....K.;Ka..cB<....:..x.(...v{(..!@.Z...Bg.n.<..PD.".+..0.A..5.Y...x....9.]..........d.2.h......<.j........~.+.g...8r.....].lS.9..RX@.;..........9.....8.A.......?tq....&....0..t..]...aW.....<.....Ka.=XO..C........~.F3.+.b..Y.\.,..Cq6.n..8..b`..b..{.8.......2o.S.J3U.bx;S..L..Y..L.v..LU.g....%..0U.....\...P>...Q..e..p0#yKN.H.Br..Nh r..D..?..Vuh..q)o.D.]#h.M.A

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-07-05 00-59-04-648.log

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.345946398610936
Encrypted:	false
SSDEEP:	384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
MD5:	8947C10F5AB6CFFFAE64BCA79B5A0BE3
SHA1:	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
SHA-256:	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
SHA-512:	B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
Malicious:	false
Preview:	SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.336383539528008
Encrypted:	false
SSDEEP:	384:TR70zBCpXKL96xivge/+KxgFf+ykUAkMN69LhN7Mia0DIpxm/i3I3avx9TGQIWBj:di9
MD5:	C2872223C772EFC6C3DF431B7BB45431
SHA1:	F950060A3FEA55AD8AD639C2A439606974AB07F9
SHA-256:	02A4460A6F5B272A7BF69248CF6839E6C48809925E6021B190B95712A49A2544
SHA-512:	AA7272537E3CEC60896997503EE62BEC15293EAA834804484EE08B78651ED3D714612A851A843C80B2489FB249F85BAA31974B263B489822A23470DDE6C3A2F0
Malicious:	false
Preview:	SessionID=97775495-63e9-41ba-b930-25c618ce16a1.1720155544658 Timestamp=2024-07-05T00:59:04:658-0400 ThreadID=8060 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=97775495-63e9-41ba-b930-25c618ce16a1.1720155544658 Timestamp=2024-07-05T00:59:04:659-0400 ThreadID=8060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=97775495-63e9-41ba-b930-25c618ce16a1.1720155544658 Timestamp=2024-07-05T00:59:04:659-0400 ThreadID=8060 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=97775495-63e9-41ba-b930-25c618ce16a1.1720155544658 Timestamp=2024-07-05T00:59:04:659-0400 ThreadID=8060 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=97775495-63e9-41ba-b930-25c618ce16a1.1720155544658 Timestamp=2024-07-05T00:59:04:659-0400 ThreadID=8060 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.392329700454346
Encrypted:	false
SSDEEP:	768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2ra:G
MD5:	548720C0D542D53FE02D958DBA11E126
SHA1:	1A1660DB36E40A4D353D8E2520FFD49587F6F554
SHA-256:	CC3E58AA64FCF4991B2AED7F7FA13406F0E13CCF2A4AD1A488E9021C19B773AA
SHA-512:	F62B65713AC6D1E10AE05EDC2D538840BBBF0E5F671B7D9BE641D01EA8E30B3FBA5E88D240CE27BBC9DE4913681CEA3C4C54F452CA9820225C7D44BA1B2BB184
Malicious:	false
Preview:	03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : *************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***********************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\53cd576a-7f36-44e0-8096-a39912bdd39a.tmp

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\6276a040-469d-4903-9fda-7fd2420776a1.tmp

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
MD5:	A0CFC77914D9BFBDD8BC1B1154A7B364
SHA1:	54962BFDF3797C95DC2A4C8B29E873743811AD30
SHA-256:	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
SHA-512:	74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\6736f1c9-8f84-49e7-8e20-f2f25db5ac7c.tmp

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/xA7owWLaGZDwYIGNPJodpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLaGZDwZGk3mlind9i4ufFXpAXkru
MD5:	18E3D04537AF72FDBEB3760B2D10C80E
SHA1:	B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC
SHA-256:	BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
SHA-512:	2A5B9B0A5DC98151AD2346055DF2F7BFDE62F6069A4A6A9AB3377B644D61AE31609B9FC73BEE4A0E929F84BF30DA4C1CDE628915AC37C7542FD170D12DE41298
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\ad77adca-2e00-4e52-8146-619d23e5748b.tmp

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\apt66ext.exe

Process:	C:\Users\user\AppData\Local\Temp\rkn.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55675088
Entropy (8bit):	7.998533737468859
Encrypted:	true
SSDEEP:	1572864:bVxMP+5vwyPlqv4QvVWKZeIw3UzwKxy27PXHB:bVCCwy9uVPw3U0KxyAPXh
MD5:	494A19DC7E5EAA0E516ECE245D2661DE
SHA1:	37E1A6A7B9C2F85D563BFA44AABCABC26FD00FB5
SHA-256:	7FF47DCE0AD262F4C0818170213A2A5C97B098258F5B2E85B3DF5A48EED05183
SHA-512:	180FDB170B68399C563C1DE6C290A9B365F32C484FF53E16D4EDBF967CD4FA9D8D50B45AB87AFD6F1E9B670240D640DA683A7E3E657ED22BD648D385624EC06A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Joe Sandbox View:	Filename: rkn.log.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..x..x..x..3...~..3......3...r..m.x.y..m...P..m...h..m...q..3......x.....NY..y..NY..y..Richx..................PE..d.....mf.........."....%......................@.............................@............`.....................................................P.... ..P....................0.........................................@............................................text............................... ..`.rdata..............................@..@.data... ...........................@....pdata..............................@..@_RDATA..\...........................@..@.rsrc...P.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imaging.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2428928
Entropy (8bit):	6.459337580131227
Encrypted:	false
SSDEEP:	49152:koa4DDDK7v1T+bKpf6/ulLrLrLrLKg+JYWjHBF7:1K7v1TWX2q
MD5:	AACDB8C5BC88D687244E39CFC7A0B855
SHA1:	F47344BAEE73A89300A278C6797B29A49D5B924C
SHA-256:	6D21AC76315885570BDCBF7B54CDD212E430F4CA2708F6F641EB5F6FEEAFC6E2
SHA-512:	FE5ED4F93776D1608BFEA4C96D155C043E1B1A920B210672B3511FF070F48538B3C6EBA6D1F1F5A3C296B748346DACAD22649C676C958BF7E867B7D96C99E85F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: msupdate.exe, Detection: malicious, Browse Filename: rkn.log.exe, Detection: malicious, Browse Filename: apt66ext.log.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe, Detection: malicious, Browse
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......<..1x.}bx.}bx.}bq..bh.}b..\|cz.}b...b\|.}b..xcu.}b..ycp.}b..~c\|.}b.\|cz.}b3.\|c..}bx.\|bp.}bx.}bc.}b..yc..}b..uc2.}b..}cy.}b...by.}b...cy.}bRichx.}b........................PE..d.....ec.........." ...!.............9........................................%...........`..........................................Z#.`...0[#......P%......P$..............`%.D.....!...............................!.@...............(............................text...x........................... ..`.rdata..............................@..@.data.........#......b#.............@....pdata.......P$.......#.............@..@.rsrc........P%.......$.............@..@.reloc..D....`%.......$.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imagingcms.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	257536
Entropy (8bit):	6.280201200423917
Encrypted:	false
SSDEEP:	6144:kFuq195UQ/b/8yRI7O4T9HFLg9uP1+74/LgHmPr9qvZqhLanLTLzLfqeqwL1Je0s:kFuqL5UfT9HFLg9uP1+74/LgHmPr9qvK
MD5:	74277F3293C7B0D3E882EA2DE1D1CF1E
SHA1:	4C8E0611A315A9BB4B7829989EC0115B65E679E9
SHA-256:	00BCFE359DB03A33DF453FF0DE146BFF038419AC65D5CB5055FFF5ED19A56259
SHA-512:	6DCC56EF0C3C4ED6286FCE212112764C9D0B38980783A2F348A3FCE0CC7CD0B7E75D388508484CD585493C645D3CC150B22D5FB9E41A4BD4CFDEA0E8441AE909
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D....b...b...b....R..b.......b......b......b......b...<...b..K....b...b..lb......b.......b....>..b......b..Rich.b..........................PE..d.....ec.........." ...!..... ...............................................0............`.........................................0...d.................................... .......E...............................D..@...............`............................text...(........................... ..`.rdata.............................@..@.data....F.......@...v..............@....pdata...........0..................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imagingft.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1652736
Entropy (8bit):	6.766846496259483
Encrypted:	false
SSDEEP:	24576:RGxm3UN0DyIeCzhYTUrU55IUYcEe7/t8fV7MZgyzcO0PEXbZ5Ap4Xfo45:ox4SfC2TUO5HCI/et+gytfo4
MD5:	C399B12E90D2560998FBE4BAAA1C2520
SHA1:	075B5788F9B24385041B46BFBFCDB8B813063D8B
SHA-256:	EDB2750798F931782A39F68177594BE7B61D5DE8D2D72CC2DA56EE481235A91B
SHA-512:	2D395BE849E2CE8AC25EEE756CA6CAA9C1D1AD7C4D5157AD0D31D9442C765A3D7ACDCAE36BB37AD72724967D078908B316D491E6F8FF6B960B8F7D982903928C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........pn...........i.....&j......i.....&j.....&j.....&j.....&j......O........(...(j.....(j.....(j.....(j.....(j.....(j.....Rich............PE..d.....ec.........." ...!.....@............................................................`..........................................1..d....2.......`.......................p..h...p...............................0...@............... ............................text............................... ..`.rdata...0.......2..................@..@.data....+...P...$...2..............@....pdata...............V..............@..@.rsrc........`.......(..............@..@.reloc..h....p.......*..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_imagingtk.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.016426536954842
Encrypted:	false
SSDEEP:	192:dLWyIXW4r4fhDBg3hB2tCIpg7or9edH58IPpElVysUA4ckgT1G:dL7IXr45DBg3hB2V9eswpsVyZA2gTQ
MD5:	B61513E865CE6A68D13BE4CD2460B5AD
SHA1:	CBA64C5713D6D9D6267B4BFBF9BB2882CFAF174E
SHA-256:	32E29A8FF928D60D4E469796485A4F086E56CD7D6FA82793CBE5F4B2BF76742C
SHA-512:	94BD51836FE14DE22BCA9BCBC214C39B690DE1C077925FC4A93660912D2390EF57CB989A82C6BC2C9F82381D77905686960358CA3DFBE532DC6FE3E7022630AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........i..:..:..:...:..:F..;..:F..;..:F..;..:F..;..:l.;..:..;..:..:.:H..;..:H..;..:H.l:..:H..;..:Rich..:........................PE..d.....ec.........." ...!.....$............................................................`..........................................9..d...T:.......p.......`..................<...p3..............................02..@............0..x............................text............................... ..`.rdata..z....0....... ..............@..@.data...8....P.......2..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..<............<..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PIL\_webp.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	531456
Entropy (8bit):	6.580984741686164
Encrypted:	false
SSDEEP:	12288:wyN9n89fa3Z6utaazqLrLrLrLaCCKVtNaIKJQIJzK:wV9ypLqLrLrLrLaCCKEIyQIJzK
MD5:	AA29985595759F7C02529650F6C35F1B
SHA1:	A859D0549379050C7CEC8B285A3BA802E8E71566
SHA-256:	47F85EE8BC271D79AC383C285EF026C7040B94AF8E67A5832138EEF8FC595CBD
SHA-512:	55AD17D7280B626A8B026470DB8A86C2DE05B137D9A923A37E6FE87169F682347E715D2EFFDE820ED58A6352CDFC396B64DA9B704085763FDAD30F6C7B7FABFD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0Qw.Q?$.Q?$.Q?$.).$.Q?$C>%.Q?$.)>%.Q?$C:%.Q?$C;%.Q?$C<%.Q?$i.>%.Q?$.Q>$.Q?$M;%.Q?$M7%.Q?$M?%.Q?$M.$.Q?$M*=%.Q?$Rich.Q?$........PE..d.....ec.........." ...!.................................................................`.........................................P...X............p....... ...M...................R...............................Q..@............................................text............................... ..`.rdata..~...........................@..@.data....7..........................@....pdata...M... ...N..................@..@.rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\QtCore.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2467840
Entropy (8bit):	6.240133820704683
Encrypted:	false
SSDEEP:	49152:aWYt+wPbTcSKSCcHFpXEqzhDarD9HDXTk5am3QSQK4ZAzYI+1ZdAEDGmtV/U3bwN:jSKSCcHFpXEqzhDarD9HDXTk5am3QSQO
MD5:	1DA7B606380B624274E7E3C5F25209BC
SHA1:	695949EAB1548E05FB10DA421626EF95B03D5B89
SHA-256:	203BB6236F23F57AD8CDAB5BBF4537A4ABBC0B0879CF2893A8DC930E679DD846
SHA-512:	43E4CDE7B3CF2F57991C169B1B9AD90334187A41B7784F37660D146252B1C6BD2E98CF86210F938967653773F29619CF0CE038A99184E3D44F734223D05C0B93
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^..0..0..0.....0...1...0...1...0...5..0...4..0...3..0.M.1...0.E.1...0..1.!.0...5..0...0..0...2..0.Rich.0.........................PE..d...3..c.........." .....B..........HF........................................&...........`.............................................L...L.................#..............`%.....`.......................b..(....`..8............`...o...........................text....A.......B.................. ..`.rdata...o...`...p...F..............@..@.data...(...........................@....pdata........#......<#.............@..@.reloc......`%.......%.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\QtGui.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2482688
Entropy (8bit):	6.233473435581707
Encrypted:	false
SSDEEP:	49152:eq1Bdy8kK+zqwXSkaGV0COyxNkFAEfYoyWbP:dLdiznbTjO
MD5:	3A9A1CD6F3A0EFE67B5994B82D7C4E21
SHA1:	E4009EB322A235C7B739777B4385906A238E7B37
SHA-256:	2CA28D29EC4F2F50B4CCC70C7D6399B314151BC38852833D2D30097773BB1C00
SHA-512:	13BCA36D9BFBE7AD6B43818E5AFC4FF940ADCCC8273DB00052B1466339258C4A0D47B2E126278F43CB24A0E608A08CF39A92379375CE011E156DE1546A286C15
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........wE.S.+OS.+OS.+OZn.OW.+O.cNQ.+O.~NQ.+O.c.NG.+O.c/N[.+O.c(NP.+O.mNQ.+O.fNV.+OS.*O..+O.c.NX.+O.c+NR.+O.c)NR.+ORichS.+O........................PE..d...R..c.........." .........J...............................................@&...........`.............................................L...L.................#...............%.....`...................................8................z...........................text............................... ..`.rdata..V...........................@..@.data...(z...p...^...N..............@....pdata........#.......#.............@..@.reloc........%.......%.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\QtWidgets.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5092864
Entropy (8bit):	6.251608446485404
Encrypted:	false
SSDEEP:	49152:I6qnQByIoLSo7MMVjv7pekxL3UNmN61ZA+gca6xSdJzqNQ9SbBanj1Mxf5uJa:WxI/kMaz7YsgNDG90+VimCOa
MD5:	9E4B668C64D9E7A6C59BEBE4B0D6D7C0
SHA1:	75C70834E631014296F893F5584B18EA20AC1EC3
SHA-256:	E4A06FE65B02C568DB984771FB9A46EA95A8E4353EA85C942F954CBA02DEC635
SHA-512:	8D18D5F640EFE4631E4E43A1EF4BB458613C598C88574DC3C3BCFA8C0B8C7CBBF4950CF6F6BB31B49914DC45523A2376AC9178939164D93BDDD670BAD5386D66
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0...^..^..^.....^..._..^..._..^...[..^...Z..^...]..^..._..^..._..^.._..^.X.[..^.X.^..^.X.\..^.Rich..^.................PE..d...m..c.........." ......,...!.......,.......................................N...........`..........................................t;.T...Du;..............0H..t............L..O...7..............................7.8.............,.`............................text...(.,.......,................. ..`.rdata..F.....,.......,.............@..@.data....9....@.......@.............@....pdata...t...0H..t....G.............@..@.reloc...O....L..P...fL.............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\iconengines\qsvgicon.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	41968
Entropy (8bit):	6.0993566622860635
Encrypted:	false
SSDEEP:	768:VPs5g31JfDgej5JZmA0ZsEEC6lmn+4FdDGimUf2hr:VkC31ee7ZmA+sEEC6lmn+4FOUfc
MD5:	313F89994F3FEA8F67A48EE13359F4BA
SHA1:	8C7D4509A0CAA1164CC9415F44735B885A2F3270
SHA-256:	42DDE60BEFCF1D9F96B8366A9988626B97D7D0D829EBEA32F756D6ECD9EA99A8
SHA-512:	06E5026F5DB929F242104A503F0D501A9C1DC92973DD0E91D2DAF5B277D190082DE8D37ACE7EDF643C70AA98BB3D670DEFE04CE89B483DA4F34E629F8ED5FECF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.:..i..i..i#.Ei...i...h(..i>..h(..i...h8..i...h-..i...h(..i...h-..i..i...i...h(..i...h+..i..)i+..i...h+..iRich*..i........................PE..d......_.........." .....@...F.......F..............................................C.....`..........................................g..x...hh..........H...........................xX..T....................Z..(....X..0............P...............................text....>.......@.................. ..`.rdata...3...P...4...D..............@..@.data................x..............@....pdata...............z..............@..@.qtmetadj...........................@..P.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qgif.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39408
Entropy (8bit):	6.0316011626259405
Encrypted:	false
SSDEEP:	768:ygk2hM0GskFtvPCjEIxh8eDzFyPddeeGvnhotdDGPUf2he:yN2a05kfPOEMaeDzFkddeFnhotOUfh
MD5:	52FD90E34FE8DED8E197B532BD622EF7
SHA1:	834E280E00BAE48A9E509A7DC909BEA3169BDCE2
SHA-256:	36174DD4C5F37C5F065C7A26E0AC65C4C3A41FDC0416882AF856A23A5D03BB9D
SHA-512:	EF3FB3770808B3690C11A18316B0C1C56C80198C1B1910E8AA198DF8281BA4E13DC9A6179BB93A379AD849304F6BB934F23E6BBD3D258B274CC31856DE0FC12B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3..3..3..KA.3..o\..3..X..3..o\..3..o\..3..o\..3.."C..3..3...3.."C..3.."C..3.."C-.3.."C..3..Rich.3..........PE..d...H._.........." .....@...B.......E...............................................^....`..........................................f..t....f..........@............~..............HW..T....................X..(....W..0............P...............................text...k?.......@.................. ..`.rdata..&)...P...*...D..............@..@.data...(............n..............@....pdata...............p..............@..@.qtmetads............v..............@..P.rsrc...@............x..............@..@.reloc...............\|..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qicns.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45040
Entropy (8bit):	6.016125225197622
Encrypted:	false
SSDEEP:	768:vEip0IlhxTDxut3dnm8IyAmQQ3ydJouEAkNypTAO0tfC3apmsdDG9Uf2hU:vxvXxgVIyA23ydJlEATpTAO0tfCKpms/
MD5:	AD84AF4D585643FF94BFA6DE672B3284
SHA1:	5D2DF51028FBEB7F6B52C02ADD702BC3FA781E08
SHA-256:	F4A229A082D16F80016F366156A2B951550F1E9DF6D4177323BBEDD92A429909
SHA-512:	B68D83A4A1928EB3390DEB9340CB27B8A3EB221C2E0BE86211EF318B4DD34B37531CA347C73CCE79A640C5B06FBD325E10F8C37E0CEE2581F22ABFBFF5CC0D55
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................a....Q........Q......Q......Q......................................Rich...........PE..d......_.........." .....B...N.......G...............................................&....`.............................................t...$...........@...........................xp..T....................r..(....p..0............`...............................text....@.......B.................. ..`.rdata...9...`...:...F..............@..@.data...............................@....pdata..............................@..@.qtmetadx...........................@..P.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qico.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38384
Entropy (8bit):	5.957072398645384
Encrypted:	false
SSDEEP:	768:zBXBEfQiAzC9Oh5AS7a3Z5OGrTDeV9mp7nnsWdDGgYUf2hi/:8JAzuOhy3zOGrTDeV9mp7nnsWjYUfz
MD5:	A9ABD4329CA364D4F430EDDCB471BE59
SHA1:	C00A629419509929507A05AEBB706562C837E337
SHA-256:	1982A635DB9652304131C9C6FF9A693E70241600D2EF22B354962AA37997DE0B
SHA-512:	004EA8AE07C1A18B0B461A069409E4061D90401C8555DD23DBF164A08E96732F7126305134BFAF8B65B0406315F218E05B5F0F00BEDB840FB993D648CE996756
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.G...G...G...N...C......E...S...E......R......O......D.......B...G...........D.......F.......F.......F...RichG...................PE..d...H._.........." .....4...H.......9....................................................`..........................................h..t...th..........@............z..............(X..T....................Y..(....X..0............P..8............................text....2.......4.................. ..`.rdata..B/...P...0...8..............@..@.data...h............h..............@....pdata...............l..............@..@.qtmetad.............r..............@..P.rsrc...@............t..............@..@.reloc...............x..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qjpeg.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	421360
Entropy (8bit):	5.7491063936821405
Encrypted:	false
SSDEEP:	6144:USgOWz1eW38u9tyh6fpGUasBKTrsXWwMmH1l3JM5hn0uEfB4:USPQTnastBRB4
MD5:	16ABCCEB70BA20E73858E8F1912C05CD
SHA1:	4B3A32B166AB5BBBEE229790FDAE9CBC84F936BA
SHA-256:	FB4E980CB5FAFA8A4CD4239329AED93F7C32ED939C94B61FB2DF657F3C6AD158
SHA-512:	3E5C83967BF31C9B7F1720059DD51AA4338E518B076B0461541C781B076135E9CB9CBCEB13A8EC9217104517FBCC356BDD3FFACA7956D1C939E43988151F6273
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iv"...L...L...L..o....L..xM...L..\|M...L.......L..xI...L..xH...L..xO...L..gM...L...M...L..gH.?.L..gI...L..gL...L..g....L..gN...L.Rich..L.........PE..d...o._.........." .....b...........i...............................................g....`.............................................t...............@....`.......R..............h...T.......................(.......0...............@............................text....`.......b.................. ..`.rdata..J............f..............@..@.data...8....P.......(..............@....pdata.......`... ...*..............@..@.qtmetad.............J..............@..P.rsrc...@............L..............@..@.reloc...............P..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qsvg.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32240
Entropy (8bit):	5.978149408776758
Encrypted:	false
SSDEEP:	768:uOVKDlJJVlTuLiMtsKVG7TSdDG9Uf2h4e:hVgJVlTuL/tsKVG7TSQUfre
MD5:	C0DE135782FA0235A0EA8E97898EAF2A
SHA1:	FCF5FD99239BF4E0B17B128B0EBEC144C7A17DE2
SHA-256:	B3498F0A10AC4CB42CF7213DB4944A34594FF36C78C50A0F249C9085D1B1FF39
SHA-512:	7BD5F90CCAB3CF50C55EAF14F7EF21E05D3C893FA7AC9846C6CA98D6E6D177263AC5EB8A85A34501BCFCA0DA7F0B6C39769726F4090FCA2231EE64869B81CF0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x>...P...P...P..a...P.&vQ...P..rQ...P.&vU...P.&vT...P.&vS...P.kiQ...P...Q.n.P.kiU...P.kiP...P.ki....P.kiR...P.Rich..P.........PE..d......_.........." .....$...B......D)....................................................`.........................................PU..t....U..........@............b...............G..T....................I..(...PH..0............@..(............................text....".......$.................. ..`.rdata...+...@...,...(..............@..@.data...8....p.......T..............@....pdata...............V..............@..@.qtmetad.............Z..............@..P.rsrc...@............\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qtga.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	5.865766652452823
Encrypted:	false
SSDEEP:	768:1lGALluUEAQATWQ79Z2Y8Ar+dDG2vUf2hF:TZl/EH8WQ794Y8Ar+hvUfm
MD5:	A913276FA25D2E6FD999940454C23093
SHA1:	785B7BC7110218EC0E659C0E5ACE9520AA451615
SHA-256:	5B641DEC81AEC1CF7AC0CCE9FC067BB642FBD32DA138A36E3BDAC3BB5B36C37A
SHA-512:	CEBE48E6E6C5CDF8FC339560751813B8DE11D2471A3DAB7D648DF5B313D85735889D4E704E8EEC0AD1084AB43BE0EBDFBACD038AEAC46D7A951EFB3A7CE838EB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F ._'N._'N._'N.V_.Y'N..HO.]'N.KLO.]'N..HK.M'N..HJ.W'N..HM.\'N..WO.Z'N._'O.4'N..WK.\'N..WN.^'N..W..^'N..WL.^'N.Rich_'N.........................PE..d......_.........." ....."...@.......'..............................................7.....`..........................................W..t...dX..........@.......`....`..............(I..T....................J..(....I..0............@..h............................text...[!.......".................. ..`.rdata...)...@...*...&..............@..@.data........p.......P..............@....pdata..`............T..............@..@.qtmetadu............X..............@..P.rsrc...@............Z..............@..@.reloc...............^..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qtiff.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	390128
Entropy (8bit):	5.724665470266677
Encrypted:	false
SSDEEP:	6144:V0jqHiFBaRe0GPAKwP15e7xrEEEEEEN024Rx/3tkYiHUASQbs/l7OanYoOgyV:0qqwP15bx/q7/yyV
MD5:	9C0ACF12D3D25384868DCD81C787F382
SHA1:	C6E877ABA3FB3D2F21D86BE300E753E23BB0B74E
SHA-256:	825174429CED6B3DAB18115DBC6C9DA07BF5248C86EC1BD5C0DCAECA93B4C22D
SHA-512:	45594FA3C5D7C4F26325927BB8D51B0B88E162E3F5E7B7F39A5D72437606383E9FDC8F83A77F814E45AFF254914514AE52C1D840A6C7B98767F362ED3F4FC5BD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................E....q............q......q......q......<.............<......<......<......<.)....<......Rich....................PE..d......_.........." .....(..........D-.......................................0............`.............................................t...4...........@........%........... ..(....d..T................... f..(....d..0............@..0............................text....&.......(.................. ..`.rdata...v...@...x...,..............@..@.data...(...........................@....pdata...%.......&..................@..@.qtmetad............................@..P.rsrc...@...........................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qwbmp.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30192
Entropy (8bit):	5.938644231596902
Encrypted:	false
SSDEEP:	768:EfEM3S46JE2X/xBZ76pC5J6GdDGZUf2h4:63S3JE2PHZ76pC5J6GEUfn
MD5:	68919381E3C64E956D05863339F5C68C
SHA1:	CE0A2AD1F1A46B61CB298CEC5AA0B25FF2C12992
SHA-256:	0F05969FB926A62A338782B32446EA3E28E4BFBFFC0DBD25ED303FAB3404ABAC
SHA-512:	6222A3818157F6BCD793291A6C0380EF8C6B93ECEA2E0C9A767D9D9163461B541AFAF8C6B21C5A020F01C95C6EE9B2B74B358BA18DA120F520E87E24B20836AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<.I.<.I.<.I.D%I.<.I.S.H.<.I.W.H.<.I.S.H.<.I.S.H.<.I.S.H.<.IYL.H.<.I.<.I.<.IYL.H.<.IYL.H.<.IYLII.<.IYL.H.<.IRich.<.I........PE..d......_.........." ..... ...8.......'....................................................`......................................... D..t....D..........@....p..T....Z...............6..T...................p8..(...@7..0............0..p............................text............ .................. ..`.rdata..d&...0...(...$..............@..@.data........`.......L..............@....pdata..T....p.......N..............@..@.qtmetad~............R..............@..P.rsrc...@............T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\imageformats\qwebp.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	510448
Entropy (8bit):	6.605517748735854
Encrypted:	false
SSDEEP:	12288:bPTjgdqdsvh+LrLrLrL5/y4DVHAsqx3hXS+oPZQqRaYG:jT5sMLrLrLrL5q4dAsaOFo
MD5:	308E4565C3C5646F9ABD77885B07358E
SHA1:	71CB8047A9EF0CDB3EE27428726CACD063BB95B7
SHA-256:	6E37ACD0D357871F92B7FDE7206C904C734CAA02F94544DF646957DF8C4987AF
SHA-512:	FFAEECFAE097D5E9D1186522BD8D29C95CE48B87583624EB6D0D52BD19E36DB2860A557E19F0A05847458605A9A540C2A9899D53D36A6B7FD5BF0AD86AF88124
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................a....s........s......s......s....>.........>......>.....>....>......>....Rich...................PE..d......_.........." .....B..........tH.......................................0......`q....`..........................................W..t....W..........@.......0H........... ......h...T.......................(.......0............`...............................text...[@.......B.................. ..`.rdata..J....`.......F..............@..@.data....'...........X..............@....pdata..0H.......J...\..............@..@.qtmetadv...........................@..P.rsrc...@...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\mediaservice\dsengine.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	301040
Entropy (8bit):	6.15513142093455
Encrypted:	false
SSDEEP:	6144:+t6LjqQ5qwlL5536MDPlk1B9/f9EQlK13EsOyo+FRrzu:+sLWQwwT53dJA+FRrzu
MD5:	9EC42E2D5C802162CFF74A037917AE94
SHA1:	73E7A721AE946A1AE7443E047589620C71FF99AB
SHA-256:	3539AA922FCC946C8AF2BDBABF10B0260B9CC14AD62EA331D29766B170D1D3D4
SHA-512:	407BB599B654FCD8BF4FD0E724CC4FED6318A655838B7B8A027938CADDEF9604D4CCEE665DDE799C0C74B21D910462D38EF7E8E82237B420221B32DBC02B7128
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......0^B.t?,.t?,.t?,.}G..~?,.P).g?,.P(.\|?,.P/.w?,.P-.p?,..O-.~?,.`T(.r?,.`T).u?,.`T-.c?,.t?-..=,..O).6?,..O,.u?,..O..u?,..O..u?,.Richt?,.........................PE..d...l.._.........." ................l................................................1....`.............................................x...(...........H....`..D1...\|..................T..................../..(...p...0............................................text............................... ..`.rdata...o.......p..................@..@.data... 2... ...*..................@....pdata..D1...`...2...:..............@..@.qtmetad.............l..............@..P.rsrc...H............n..............@..@.reloc...............r..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\mediaservice\qtmedia_audioengine.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68080
Entropy (8bit):	5.915530709928927
Encrypted:	false
SSDEEP:	1536:CX+k4JfQEzxmtbtXd8UxpzFV03X8GhCMIZm4XUfo:CyJBxm3XKUHzGhCMIZf/
MD5:	71A4564FA2B8755E43FB6D5D6AFE9763
SHA1:	4A58F92BD8153860B0D89B7AC068CF7E5AA1040A
SHA-256:	1E8DC7E376664B17A5356E53CFB5BB7CFF148E05A5B96923EF59E2C29ADA28FD
SHA-512:	4D15E0D04D184A7B59E0DF97BB96EFE14AA76E57148727166351A1C010B141CE22ACC92F17F8C45791E0CD8374FB45ED3F95311524A7F11E2F336D934452425F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........GA.&/..&/..&/..^...&/.QI...&/..M...&/.QI..&/.QI+..&/.QI,..&/..V...&/..&...'/..V..&/..V/..&/..V..&/..V-..&/.Rich.&/.........................PE..d......_.........." .....b..........th.......................................@............`.......................................................... ..X....................0..$.......T.......................(...p...0............................................text....a.......b.................. ..`.rdata..Fh.......j...f..............@..@.data...x...........................@....pdata..............................@..@.qtmetad............................@..P.rsrc...X.... ......................@..@.reloc..$....0......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\mediaservice\wmfengine.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	208368
Entropy (8bit):	6.0609445635731305
Encrypted:	false
SSDEEP:	3072:W4vMUHhXLy+Duac3hiMGY3XQtjNjFiUipnrNg9KoHosdi:2eySuaQxejN4UipnrNg9XHoei
MD5:	BB6F3C46B003B34FD189C58B2C39962B
SHA1:	3CFFF78FBA6497BC1FD2C2AD4BE494E97254E898
SHA-256:	7E76A6B05EA7919A17C90591AA406E4F4835BB6478B5E43FC683C18F251EA96F
SHA-512:	DCE7BB4DD739251168F697C58B9F96DD883ADABC1D9A89B601C0D58C12D587F61F1D0A4215F66D3E6E6108778E4082F230043FB2D417CD4908754E58A0E1140A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......h.fQ,...,...,...%...*......(......$....../......9...8...-.......&...8...-...8...-...8...+...8...;...,...................-.......-.......-...Rich,...........PE..d...X.._.........." .........d...............................................`............`.........................................0p..x....p.......@..H........ ...........P..x...X...T.......................(.......0............................................text...;........................... ..`.rdata..............................@..@.data....%....... ..................@....pdata... ......."..................@..@.qtmetad.....0......................@..P.rsrc...H....@......................@..@.reloc..x....P......................@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qminimal.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	844784
Entropy (8bit):	6.625808732261156
Encrypted:	false
SSDEEP:	12288:y6MhioHKQ1ra8HT+bkMY8zKI4kwU7dFOTTYfEWmTxbwTlWc:BMhioHKQp+bkjAjwGdFSZtbwBd
MD5:	2F6D88F8EC3047DEAF174002228219AB
SHA1:	EB7242BB0FE74EA78A17D39C76310A7CDD1603A8
SHA-256:	05D1E7364DD2A672DF3CA44DD6FD85BED3D3DC239DCFE29BFB464F10B4DAA628
SHA-512:	0A895BA11C81AF14B5BD1A04A450D6DCCA531063307C9EF076E9C47BD15F4438837C5D425CAEE2150F3259691F971D6EE61154748D06D29E4E77DA3110053B54
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#\..B2..B2..B2..:...B2..-3..B2.F....B2..-7..B2..-6..B2..-1..B2..)6..B2.^23..B2..)3..B2..B3.@2.^26..B2.^27..B2.^22..B2.^2...B2.^20..B2.Rich.B2.........PE..d...N._.........." ......................................................... ............`......................................... ...x.......@.......H....`..H.......................T.......................(.......0...............(............................text...;........................... ..`.rdata...C.......D..................@..@.data...H....@......."..............@....pdata..H....`.......0..............@..@.qtmetad............................@..P.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qoffscreen.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754672
Entropy (8bit):	6.6323155845799695
Encrypted:	false
SSDEEP:	12288:/HpBmyVIRZ3Tck83vEgex5aebusGMIlhLfEWmpCJkl:/HpB63TckUcLaHMITAZmW
MD5:	6407499918557594916C6AB1FFEF1E99
SHA1:	5A57C6B3FFD51FC5688D5A28436AD2C2E70D3976
SHA-256:	54097626FAAE718A4BC8E436C85B4DED8F8FB7051B2B9563A29AEE4ED5C32B7B
SHA-512:	8E8ABB563A508E7E75241B9720A0E7AE9C1A59DD23788C74E4ED32A028721F56546792D6CCA326F3D6AA0A62FDEDC63BF41B8B74187215CD3B26439F40233F4D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m..T..KT..KT..K]t7K@..K.c.JV..K@g.JV..K.cKU..K.c.JA..K.c.J\..K.c.JP..K.\|.JQ..KT..K...K.\|.Js..K.\|.JS..K.\|.JU..K.\|[KU..K.\|.JU..KRichT..K........PE..d...R._.........." ................L.....................................................`.............................................x...8...........H....... s...h..........p.......T................... ...(.......0...............@............................text............................... ..`.rdata..............................@..@.data...............................@....pdata.. s.......t..................@..@.qtmetad.............T..............@..P.rsrc...H............V..............@..@.reloc..p............Z..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qwebgl.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	482288
Entropy (8bit):	6.152380961313931
Encrypted:	false
SSDEEP:	6144:WO/vyK+DtyaHlIMDhg5WEOvAwKB2VaaHeqRw/yVfYu4UnCA6DEjeYchcD+1Zy2:bKtHOWg5OvAwK0NYu4AShcD+1U2
MD5:	1EDCB08C16D30516483A4CBB7D81E062
SHA1:	4760915F1B90194760100304B8469A3B2E97E2BC
SHA-256:	9C3B2FA2383EEED92BB5810BDCF893AE30FA654A30B453AB2E49A95E1CCF1631
SHA-512:	0A923495210B2DC6EB1ACEDAF76D57B07D72D56108FD718BD0368D2C2E78AE7AC848B90D90C8393320A3D800A38E87796965AFD84DA8C1DF6C6B244D533F0F39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gM..#...#...#..~....#.ei&...#.ei'...#.ei ...#..m'...#.ei"...#.(v"...#..m"...#..."...#.(v&...#.(v#...#.(v...#.(v!...#.Rich..#.................PE..d......_.........." .....R...........;....................................................`..........................................m..t...Dn..T.......@....@...=...@..............0...T.......................(.......0............p..(............................text...{Q.......R.................. ..`.rdata..:....p.......V..............@..@.data...H....0......................@....pdata...=...@...>..................@..@.qtmetadz............2..............@..P.rsrc...@............4..............@..@.reloc...............8..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platforms\qwindows.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1477104
Entropy (8bit):	6.575113537540671
Encrypted:	false
SSDEEP:	24576:4mCSPJrAbXEEuV9Hw2SoYFo3HdxjEgqJkLdLu5qpmZuhg/A2b:nPlIEEuV9Hw2SFFWHdWZsdmqja/A2b
MD5:	4931FCD0E86C4D4F83128DC74E01EAAD
SHA1:	AC1D0242D36896D4DDA53B95812F11692E87D8DF
SHA-256:	3333BA244C97264E3BD19DB5953EFA80A6E47AACED9D337AC3287EC718162B85
SHA-512:	0396BCCDA43856950AFE4E7B16E0F95D4D48B87473DC90CF029E6DDFD0777E1192C307CFE424EAE6FB61C1B479F0BA1EF1E4269A69C843311A37252CF817D84D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i...-...-...-...$.%.9.....q.,......8......%......)......+...9......9..,......)..........9..8...-..........d......,.....I.,......,...Rich-...........PE..d....._.........." .....,...h......4+..............................................n.....`.............................................x...(...........H............n..........X....r..T...................Pt..(... s..0............@...5...........................text..._+.......,.................. ..`.rdata.......@.......0..............@..@.data....m...@...D...(..............@....pdata...............l..............@..@.qtmetad.............J..............@..P.rsrc...H............L..............@..@.reloc..X............P..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\platformthemes\qxdgdesktopportal.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68592
Entropy (8bit):	6.125954940500008
Encrypted:	false
SSDEEP:	1536:Nt4B1RLj3S6TtH2sweUH+Hz6/4+D6VFsfvUfO:AB1RHFdoeUs6/4O6VFSZ
MD5:	F66F6E9EDA956F72E3BB113407035E61
SHA1:	97328524DA8E82F5F92878F1C0421B38ECEC1E6C
SHA-256:	E23FBC1BEC6CEEDFA9FD305606A460D9CAC5D43A66D19C0DE36E27632FDDD952
SHA-512:	7FF76E83C8D82016AB6BD349F10405F30DEEBE97E8347C6762EB71A40009F9A2978A0D8D0C054CF7A3D2D377563F6A21B97DDEFD50A9AC932D43CC124D7C4918
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o...o...o...f...k......m...{..m......~......h......m......h...o..........k......n.....~.n......n...Richo...........................PE..d...V._.........." .....z...t......T........................................@.......b....`......................................... ................ ..X....................0..4.......T.......................(...p...0...............x............................text....y.......z.................. ..`.rdata...Z.......\...~..............@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...X.... ......................@..@.reloc..4....0......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\printsupport\windowsprintersupport.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55280
Entropy (8bit):	6.083938612859037
Encrypted:	false
SSDEEP:	768:PY5ff1eZ5yUgg+mpYPyU6bZAnhdbfLLAARljIFuzdDG9Uf2hFc:PY5X1ez9DYaUQZAnhJz8ARljmuzAUf1
MD5:	07D7D4B65F5EB33051320DF66BD943A9
SHA1:	9A89ECF02137394BDDDE6F3D4E455AFE1BC1FA53
SHA-256:	C7A1BBF4EA6A74888E71F7199373C9920017199B41F624267EAD151EB8CF99B6
SHA-512:	E58DC1BC6243907EB7BBECFF1CF697C1384C9F3FCBFA8B28EB4920E71B701901A4F20F889E19CDEFB953A194D7E1D1F9EAA197E1B740075BB06AE05D3ACE15AF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................P....x......x......x......x......5..................5......5......5.<....5......Rich............................PE..d...K._.........." .....Z...`.......`.............................................../....`.........................................0...................`.......4...................h~..T.......................(....~..0............p..`............................text...1Y.......Z.................. ..`.rdata...F...p...H...^..............@..@.data...............................@....pdata..4...........................@..@.qtmetad............................@..P.rsrc...`...........................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\qt-plugins\styles\qwindowsvistastyle.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	144368
Entropy (8bit):	6.294675868932723
Encrypted:	false
SSDEEP:	3072:rrjwZ43rCOtrBk7wcR0l7wBlaL6BtIEt51T0Nhkqg8FoQY:7hZu9R0l7wFBtIEt51T0Nuqg8JY
MD5:	53A85F51054B7D58D8AD7C36975ACB96
SHA1:	893A757CA01472A96FB913D436AA9F8CFB2A297F
SHA-256:	D9B21182952682FE7BA63AF1DF24E23ACE592C35B3F31ECEEF9F0EABEB5881B9
SHA-512:	35957964213B41F1F21B860B03458404FBF11DAF03D102FBEA8C2B2F249050CEFBB348EDC3F22D8ECC3CB8ABFDC44215C2DC9DA029B4F93A7F40197BD0C16960
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R._...1]..1]..1]..]..1]..0\..1]..5\..1]..2\..1]..4\..1]..0\..1]..0\..1]..0]..1]..4\..1]..1\..1]...]..1]..3\..1]Rich..1]........................PE..d...`._.........." .....\...........`.......................................`......wJ....`................................................. ........@..X.... ...............P.........T...................`...(...0...0............p...............................text....Z.......\.................. ..`.rdata......p.......`..............@..@.data...............................@....pdata....... ......................@..@.qtmetadm....0......................@..P.rsrc...X....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\PyQt5\sip.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	121344
Entropy (8bit):	6.013239668983001
Encrypted:	false
SSDEEP:	3072:ffo4ygrnRYa5v7Wbj8F4HwSvQxoodR89X1f:44yQOa5jWnW4wSoPR2f
MD5:	3C3ECB577008D8C505C48D1136139886
SHA1:	15A08DAA51035EB4C7E2931A22FA2475118F95D6
SHA-256:	4E42894C6335229782AE2FD1C5FE59F571FA4C7CD2C0EE7543C7A320333E46F2
SHA-512:	EF220EBCF27E6F607AD4F22A6BAEC1FE88345D3B3274826F76C5A5715A26F6A96032E69E30A0464BF91B9409B3588769F8CD907D34EF5179AC25409A82BA60F8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................../.........y.....y.....y.`...y.....Rich..........................PE..d....+8d.........." .....N...........R....................................... ............`.........................................0...T...........................................P...............................p...8............`...............................text....M.......N.................. ..`.rdata...R...`...T...R..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_asyncio.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	73744
Entropy (8bit):	5.899692891859365
Encrypted:	false
SSDEEP:	1536:P/NHFMdDgugn5BHr/1Rq6mMxnBGpI8snaqy27:X/485x1Rq6mgncpI8snaw7
MD5:	3A9762EE38BFAC66D381270C80D8B787
SHA1:	44036D492A5BB4A8EDFC5DDF3EE84772C74A77ED
SHA-256:	9531365763F8BBFF9FA7E18EABEFE866F99EA4B8E127B265A8952E16217C61E1
SHA-512:	4AFE20524D3043FC526C585C2E5589F4505FDBF4B2011577A595AA836423484BAB18A9F5F4DB82D204A3506DBC55923CFBEF1B0F4DAD54FE2DC2A771CD1F632E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1l..1l..1l..8.B.3l...2..3l...2..3l...2..;l...2..;l..2..2l..j...3l..1l..Hl..2..0l..2..0l..2..0l..2..0l..Rich1l..................PE..d...r.:_.........." .....r...........Y.......................................P............`......................................... ...P...p...d....0.......................@..`...`...T............................................................................text...gp.......r.................. ..`.rdata..t:.......<...v..............@..@.data....7.......2..................@....pdata..............................@..@.gfids....... ......................@..@.rsrc........0......................@..@.reloc..`....@......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_bz2.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	94736
Entropy (8bit):	6.337586298062742
Encrypted:	false
SSDEEP:	1536:DGb6DBCvurMRnQhVx8/Nlv+SSm9YmFN87Xgq4ToV+dypRI84VAyE:abfXyg7pp9TC7Xgq4ToV+kRI84VY
MD5:	CF77513525FC652BAD6C7F85E192E94B
SHA1:	23EC3BB9CDC356500EC192CAC16906864D5E9A81
SHA-256:	8BCE02E8D44003C5301608B1722F7E26AADA2A03D731FA92A48C124DB40E2E41
SHA-512:	DBC1BA8794CE2D027145C78B7E1FC842FFBABB090ABF9C29044657BDECD44396014B4F7C2B896DE18AAD6CFA113A4841A9CA567E501A6247832B205FE39584A9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e.l..k?..k?..k?.\|.?..k?.Zj>..k?B..?..k?.Zh>..k?.Zn>..k?.Zo>..k?vZj>..k?.lj>..k?..j?..k?vZc>..k?vZk>..k?vZ.?..k?vZi>..k?Rich..k?........PE..d...z.:_.........." .........j......$...............................................<6....`........................................../..H...80...............`.......X..................T............................................................................text............................... ..`.rdata...;.......<..................@..@.data........@.......0..............@....pdata.......`.......>..............@..@.gfids.......p.......H..............@..@.rsrc................J..............@..@.reloc...............V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_cffi_backend.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181760
Entropy (8bit):	6.199103831906969
Encrypted:	false
SSDEEP:	3072:fuDhqvb8EFiB2SAxCapLigdLnqH1nWShafSmnS791/9d9CdhjkhneKGg:fuDcz8EFfSAxzigdWnW1fSWWmhjkhneU
MD5:	DACCB97B9214BB1366ED40AD583679A2
SHA1:	89554E638B62BE5F388C9BDD35D9DAF53A240E0C
SHA-256:	B714423D9CAD42E67937531F2634001A870F8BE2BF413EACFC9F73EF391A7915
SHA-512:	99FD5C80372D878F722E4BCB1B8C8C737600961D3A9DFFC3E8277E024AAAC8648C64825820E20DA1AB9AD9180501218C6D796AF1905D8845D41C6DBB4C6EBAB0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........C..CC..CC..CJ.OCO..C...BA..C%.!CG..C...BH..C...BK..C...BG..C...BG..C..B@..CC..C...C...BG..CJ.ICB..C...BB..C..#CB..C...BB..CRichC..C................PE..d.....b.........." .........>......p........................................@............`.........................................PQ..h....Q....... ..........`............0.......7...............................7..8............................................text............................... ..`.rdata..............................@..@.data...H....p...T...T..............@....pdata..`...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_ctypes.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132624
Entropy (8bit):	5.962671714439977
Encrypted:	false
SSDEEP:	1536:bRyGuR/8oD9tR2yHBIjxBaVGTODsAR04D0RfUGpd0/b8aMgiadI8VPEye:bcDd8oM+kBVQ/8f5pdObL7dI8VPG
MD5:	5E869EEBB6169CE66225EB6725D5BE4A
SHA1:	747887DA0D7AB152E1D54608C430E78192D5A788
SHA-256:	430F1886CAF059F05CDE6EB2E8D96FEB25982749A151231E471E4B8D7F54F173
SHA-512:	FEB6888BB61E271B1670317435EE8653DEDD559263788FBF9A7766BC952DEFD7A43E7C3D9F539673C262ABEDD97B0C4DD707F0F5339B1C1570DB4E25DA804A16
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........$\.kw\.kw\.kwU..wZ.kwg.jv^.kwg.hv_.kwg.nvV.kwg.ovV.kw..jv^.kw..ov].kw..jv[.kw\.jw..kw..hv].kw..cvT.kw..kv].kw..w].kw..iv].kwRich\.kw........................PE..d...r.:_.........." .........................................................@....../G....`.......................................................... .......................0.......e..T............................f...............0...............................text............................... ..`.rdata..pq...0...r..................@..@.data....9.......4..................@....pdata..............................@..@.gfids..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_decimal.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	267280
Entropy (8bit):	6.490803702039132
Encrypted:	false
SSDEEP:	6144:16wN+Xkv3Pt2R4ihr6iboTfWebtedJ/gqWya38LWuAxR:U4ExW4oTdoC3R
MD5:	75A0542682D8F534F4A1BA48EB32218F
SHA1:	A9B878F45B575A0502003EBCFE3D6EB9AC7DD126
SHA-256:	5767525D2CDD2A89DE97A11784EC0769C30935302C135F087B09894F8865BE8B
SHA-512:	4682B8E4A81F7EFFC89D580DCA10CCFCCEBE562C2745626833CD5818DE9753C3A1E064A47C7DDC4676B6E1C7071C484156FABE98E423E625BB5D2C2B843C33DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q#!.0Mr.0Mr.0Mr.H.r.0Mr.nLs.0Mr.nNs.0Mr.nHs.0Mr.nIs.0Mr.nLs.0Mr.XLs.0Mr.0Lr?0Mr.nNs.0Mr.n@s.0Mr.nMs.0Mr.n.r.0Mr.nOs.0MrRich.0Mr........PE..d...q.:_.........." .........R...............................................@......&5....`.........................................P8..P....8....... ..........\|/...........0...... ...T............................................................................text...8........................... ..`.rdata..2...........................@..@.data...h....P...\|...:..............@....pdata..\|/.......0..................@..@.gfids..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_elementtree.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	207888
Entropy (8bit):	6.299632329784148
Encrypted:	false
SSDEEP:	3072:eA5zdNfn+gUP4DoqYjDn0sYwtk9/h337lm2Fad8u2JyoMMMMMMF4S1jzhI8AfC:eAxL/+gUPJjD0sYw6nBmRQye1jz3
MD5:	7D0C4AB57FDC1BD30C0E8E42CCC2AA35
SHA1:	81BFF07B6B5DD843E2227A3E8054500CFEC65983
SHA-256:	EE8C4A8FE8EAA918A4FEE353D46F4191BD161582098B400C33220847D84797DB
SHA-512:	56AE9F10DE02E7C777673814128D0252B47D001D2EDC74BFF9D85D7B0B6538B6F4D3D163E301DFB31429EC1EEEFEE550A72D6E424F20E10EB63C28DB0E69FBBE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..B&oo.&oo.&oo./...*oo..1n.$oo..1l.$oo..1j.,oo..1k.,oo..1n.$oo.}.n.%oo.&on..oo..1g."oo..1o.'oo..1..'oo..1m.'oo.Rich&oo.........................PE..d...v.:_.........." .....0...........-.......................................P............`.............................................X...........0...........%...........@..4....}..T...........................P~...............@...............................text...s........0.................. ..`.rdata.......@.......4..............@..@.data...............................@....pdata...%.......&..................@..@.gfids....... ......................@..@.rsrc........0......................@..@.reloc..4....@......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_hashlib.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38928
Entropy (8bit):	5.959951673192366
Encrypted:	false
SSDEEP:	768:AyvaHXGH0o9MBl7nqHQ03dpI8sIZhWDG4yfkO:UKnyBlmHQadpI8sIZcyMO
MD5:	B32CB9615A9BADA55E8F20DCEA2FBF48
SHA1:	A9C6E2D44B07B31C898A6D83B7093BF90915062D
SHA-256:	CA4F433A68C3921526F31F46D8A45709B946BBD40F04A4CFC6C245CB9EE0EAB5
SHA-512:	5C583292DE2BA33A3FC1129DFB4E2429FF2A30EEAF9C0BCFF6CCA487921F0CA02C3002B24353832504C3EEC96A7B2C507F455B18717BCD11B239BBBBD79FADBE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%_..a>..a>..a>..hF^.c>..Z`..c>..Z`..c>..Z`..k>..Z`..k>...`..c>..:V..c>...W..b>..a>..8>...`..`>...`..`>...`2.`>...`..`>..Richa>..................PE..d...y.:_.........." .....6...J.......4....................................................`..........................................e..P...`e..x....................~..............0[..T............................[...............P...............................text....5.......6.................. ..`.rdata..p ...P..."...:..............@..@.data...0............\..............@....pdata...............h..............@..@.gfids...............n..............@..@.rsrc................p..............@..@.reloc...............\|..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_lzma.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	176144
Entropy (8bit):	6.6945247495968045
Encrypted:	false
SSDEEP:	3072:KCvUDHEIzx6yBexOV3fNDjGTtDlQxueKd03DV8tv9XIGIPExZJV9mNoA2v1kqnfE:tvUtdBexOlNDk+xTKg8tlJKyXYOAC1Lc
MD5:	5FBB728A3B3ABBDD830033586183A206
SHA1:	066FDE2FA80485C4F22E0552A4D433584D672A54
SHA-256:	F9BC6036D9E4D57D08848418367743FB608434C04434AB07DA9DABE4725F9A9B
SHA-512:	31E7C9FE9D8680378F8E3EA4473461BA830DF2D80A3E24E5D02A106128D048430E5D5558C0B99EC51C3D1892C76E4BAA14D63D1EC1FC6B1728858AA2A255B2FB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........).o.z.o.z.o.z..7z.o.z.1.{.o.z.1.{.o.z.1.{.o.z.1.{.o.zi1.{.o.z...{.o.z.o.z.o.zi1.{.o.zi1.{.o.zi1[z.o.zi1.{.o.zRich.o.z........................PE..d.....:_.........." ................H.....................................................`.........................................PW..L....W..x...............t...............@....3..T............................4...............................................text...#........................... ..`.rdata..............................@..@.data........p.......T..............@....pdata..t............n..............@..@.gfids..............................@..@.rsrc...............................@..@.reloc..@...........................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_multiprocessing.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29712
Entropy (8bit):	5.960619050057232
Encrypted:	false
SSDEEP:	384:iPzxbi1duybZ93GDXIV0Y5FoTewHJ4nhB/5I8kBLheX1nYPLxDG4y8SNu7:imeIxo6wuH/5I8kthelWDG4ya7
MD5:	3CF091905D3CC49070B0C39848F0D48B
SHA1:	888716F84768545A3B21B36CA0BE2D52D22F9F8A
SHA-256:	7A0A1D04A326E21636A08F5F9772625F8B07BA1CE3FB2C78052BEC3CF795704A
SHA-512:	A9BDD51EBE1DE8CA36EF89B1A6BA9AA213A414C9F6C23819DF3A8F702ACDC6B53F0B096A813B3E93BC4E380791B404276CF2D89A0DE26AAC9A412BCFE49FF4F5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................%............................}...............}.....}.....}.I....}.....Rich...................PE..d...t.:_.........." ....."...:....... ...................................................`..........................................O..`...`O..x....... ....p..`....Z..............`G..T............................G...............@...............................text.... .......".................. ..`.rdata..J....@.......&..............@..@.data...`....`.......@..............@....pdata..`....p.......F..............@..@.gfids...............J..............@..@.rsrc... ............L..............@..@.reloc...............X..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_overlapped.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46096
Entropy (8bit):	5.925988445470974
Encrypted:	false
SSDEEP:	768:U4ljYOwns/tk8iin8alqEahsMJrrnoYIJVI8JtAWDG4yCO:TjtKPsMJrUVI8JtNyp
MD5:	F22850F077950F7566B4C6C15A184BF3
SHA1:	E200F6BA1378CAEED367C9A365B13232919F1DFA
SHA-256:	EFE043D0FC7C922968F44469FD70FDBB49569D8CA8AF82AAEA796F5B687F5660
SHA-512:	9799823371169D85D8A1DC95378C4ABD74A09C88A0A32F65F25B77D8E31A9321C9877E13B0A5F0E7E9C30976DA6ADAB0D084A8F07EC6070701146E9C29FBF00B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................z........................5.........................5......5......5......5......Rich............................PE..d...v.:_.........." .....<...`......8/....................................................`.........................................pn..X....n.......................................W..T...........................pW...............P..p............................text..._:.......<.................. ..`.rdata...+...P...,...@..............@..@.data...H............l..............@....pdata...............~..............@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_queue.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28176
Entropy (8bit):	5.982244926544283
Encrypted:	false
SSDEEP:	384:lDZ54qTq9Qe//7vWXhTR/cEI6rgdI8qU8nYPLxDG4y8HmsuEyo:p4qwQ0WRtS6rgdI8qU8WDG4y6XuEyo
MD5:	C0A70188685E44E73576E3CD63FC1F68
SHA1:	36F88CA5C1DDA929B932D656368515E851AEB175
SHA-256:	E499824D58570C3130BA8EF1AC2D503E71F916C634B2708CC22E95C223F83D0A
SHA-512:	B9168BF1B98DA4A9DFD7B1B040E1214FD69E8DFC2019774890291703AB48075C791CC27AF5D735220BD25C47643F098820563DC537748471765AFF164B00A4AA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kUe./4../4../4..&L..-4...j..-4...j..-4...j..%4...j..&4..j..,4..t\..-4../4...4..j...4..j...4..j...4..j...4..Rich/4..........................PE..d...t.:_.........." .........8......8.....................................................`..........................................:..L....;..d............`.......T..........l... 4..T............................4...............0...............................text...s........................... ..`.rdata.. ....0......."..............@..@.data........P.......6..............@....pdata.......`.......@..............@..@.gfids.......p.......D..............@..@.rsrc................F..............@..@.reloc..l............R..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_socket.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	76816
Entropy (8bit):	6.0942584309558985
Encrypted:	false
SSDEEP:	1536:vG/A9Fu5OEPenRXk5d2jw/hEdFcvY+RgOmkcH7dI8VwYyo:e/Anu5OEPenRXRjw/h0FcvYcgOmkcbdV
MD5:	8EA18D0EEAE9044C278D2EA7A1DBAE36
SHA1:	DE210842DA8CB1CB14318789575D65117D14E728
SHA-256:	9822C258A9D25062E51EAFC45D62ED19722E0450A212668F6737EB3BFE3A41C2
SHA-512:	D275CE71D422CFAACEF1220DC1F35AFBA14B38A205623E3652766DB11621B2A1D80C5D0FB0A7DF19402EBE48603E76B8F8852F6CBFF95A181D33E797476029F0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%A..K...K...K......K..J...K..H...K..N...K..O...K.G.J...K...J...K...J.A.K.G.C...K.G.K...K.G.....K.G.I...K.Rich..K.........PE..d...~.:_.........." .....x...........v.......................................`....... ....`.........................................0...P............@....... ...............P.........T...........................@................................................text...cw.......x.................. ..`.rdata..bA.......B...\|..............@..@.data....=.......8..................@....pdata....... ......................@..@.gfids.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_ssl.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120848
Entropy (8bit):	6.015568704435241
Encrypted:	false
SSDEEP:	3072:B9+/8UxGzqHYjeS0Woia4TMpi6EPQNvURI847uHV:b+UUxGiY8Wo1UVV
MD5:	5A393BB4F3AE499541356E57A766EB6A
SHA1:	908F68F4EA1A754FD31EDB662332CF0DF238CF9A
SHA-256:	B6593B3AF0E993FD5043A7EAB327409F4BF8CDCD8336ACA97DBE6325AEFDB047
SHA-512:	958584FD4EFAA5DD301CBCECBFC8927F9D2CAEC9E2826B2AF9257C5EEFB4B0B81DBBADBD3C1D867F56705C854284666F98D428DC2377CCC49F8E1F9BBBED158F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a...............x2......^.......^.......^.......^......k^......Zi.......h..............k^......k^......k^^.....k^......Rich....................PE..d.....:_.........." .....................................................................`..........................................;..d...T<..................................h....%..T............................&..................8............................text...s........................... ..`.rdata..r...........................@..@.data....N...p...J...P..............@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..h...........................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\_tkinter.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	69648
Entropy (8bit):	6.022045168499411
Encrypted:	false
SSDEEP:	1536:wZSaB9UmU+YBYGnmmwe06hcvfyRiDpI8sS1yh:wZSDoe0FvfyRiDpI8sSo
MD5:	09F66528018FFEF916899845D6632307
SHA1:	CF9DDAD46180EF05A306DCB05FDB6F24912A69CE
SHA-256:	34D89FE378FC10351D127FB85427449F31595ECCF9F5D17760B36709DD1449B9
SHA-512:	ED406792D8A533DB71BD71859EDBB2C69A828937757AFEC1A83FD1EACB1E5E6EC9AFE3AA5E796FA1F518578F6D64FF19D64F64C9601760B7600A383EFE82B3DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.r{}..(}..(}..(t..({..(F..)...(F..)...(F..)v..(F..)w..(..)...(&..)...(...)x..(}..(...(..)...(..)\|..(..(\|..(..)\|..(Rich}..(........................PE..d.....:_.........." .....~...\|......HP.......................................P.......P....`.........................................P...P............0..........,............@......P...T............................................................................text...S}.......~.................. ..`.rdata...C.......D..................@..@.data...h...........................@....pdata..,...........................@..@.gfids....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\concrt140.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	317208
Entropy (8bit):	6.325295618585691
Encrypted:	false
SSDEEP:	6144:2VwR2xhiXuz1BxUBE0I3umFKuLHqvqNXV4rnWzgCEcl:Vs9zGEj3saz7l
MD5:	F3C9F61B9E1B25C9DE8D817D3D1C02D7
SHA1:	DAB244AC19C66BB5A7BAE0AEE6E3EA280C30F364
SHA-256:	1F072A6DC98CD882C542208E7A8FE4FBE5239781588F17C005A2607FDFE62D5D
SHA-512:	8A6CF1E91A15B5A1DB52880258F3A39F6CC3BED72E79598F7A10661DD9ED28D369499F585225EB016A2F0B7EDDADE096BA80083DB301B68DEB173FADDE3B9619
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xFo.<'..<'..<'.....>'..5_..6'...H..;'..<'...'...H..4'...H..8'...H..h'...H..='...H..='...H..='..Rich<'..........................PE..d.....t^.........." ................`...............................................;g....`A.............................................M...................p...6.......A......l....3..8........................... 4..0............................................text...,........................... ..`.rdata..*2.......4..................@..@.data....?...0...8..................@....pdata...6...p...8...N..............@..@.rsrc...............................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\cv2\cv2.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87928320
Entropy (8bit):	6.741890175139891
Encrypted:	false
SSDEEP:	393216:ZH7PCXZQzJy4TWVv2/Eidszo7ARI5WEzq8E0vSH3nKBuT8CpX8GxWaHLiAUmYuk4:SQzJDWVv6dYReGxH3KB2XzhE2/sHs
MD5:	8A6BD62E33C8359CDCA4F9B06C4F4E47
SHA1:	27E229566B5759327AB08854B8EE6969770AA76B
SHA-256:	92DAF05BC35D5AE15F6110EE45204973A83B9DF22AB5B449A5158BA33403D9AF
SHA-512:	32AAAA9ED0DD63068C7B064A943D96A00CDE3F4D76F5D56DCC609C04A0C81C851F5587A801553AA952CBC810EAA7589CA0FA70F9E1D0D4B39A8EEC9BB382B918
Malicious:	true
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.........N..t N.t N.t N.)$O.t N.)#O.t N.)%O't N.)'O.t N...N.t N4#O.t N4%O.t N4$O.t N.)&O.t N..N.w N.t N.S N.)!O.t N,$OEt N3!O.t N.t!N.u N,%O.p N,* O.t N,.N.t N,"O.t NRich.t N........PE..d...@..c.........." ................8GM.......................................`...........`..........................................-..........@.....].......<..D........... ].`.....x.T.....................x.(... .x.................(............................text............................... ..`IPPCODE............................. ..`.rdata...c[......d[.................@..@.data....`0.. ...v..................@....pdata...D....<..F...\|..............@..@.tls..........Z.......8.............@...IPPDATA..N....Z..P....8.............@....gfids..l....@[.......9.............@..@_RDATA.......`[......*9.............@..@.rsrc.........].......:.............@..@.reloc..`.... ].......:.

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libcrypto-1_1.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3399200
Entropy (8bit):	6.094152840203032
Encrypted:	false
SSDEEP:	98304:R3+YyRoAK2rXHsoz5O8M1CPwDv3uFh+r:t9yWAK2zsozZM1CPwDv3uFh+r
MD5:	CC4CBF715966CDCAD95A1E6C95592B3D
SHA1:	D5873FEA9C084BCC753D1C93B2D0716257BEA7C3
SHA-256:	594303E2CE6A4A02439054C84592791BF4AB0B7C12E9BBDB4B040E27251521F1
SHA-512:	3B5AF9FBBC915D172648C2B0B513B5D2151F940CCF54C23148CD303E6660395F180981B148202BEF76F5209ACC53B8953B1CB067546F90389A6AA300C1FBE477
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K..K..K..;K..K...J..K...J..K...J..K...J..K...J..K..Kb.Kd..J..Kd..J..Kd..J..Kd.WK..Kd..J..KRich..K........................PE..d......^.........." .....R$..........r.......................................`4......~4...`.........................................`...hg...3.@.....3.\|.....1.......3. .....3..O...m,.8............................m,...............3..............................text...GQ$......R$................. ..`.rdata.......p$......V$.............@..@.data....z...P1..,...41.............@....pdata..P.....1......`1.............@..@.idata...#....3..$....3.............@..@.00cfg........3......@3.............@..@.rsrc...\|.....3......B3.............@..@.reloc..fx....3..z...J3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libeay32.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1988608
Entropy (8bit):	6.7573278120063724
Encrypted:	false
SSDEEP:	49152:iIGHW0Tlp28IQfPxwmUie+7IdlmQIU6iShqjQPPjWW8:ijHKqfw0v+qqjQDWW8
MD5:	5F7617F3EC354FBAE5092AB5F0BB8F2A
SHA1:	4DF4E9D48C5DB0C1D170ABD19F3A2FC7ACA4615A
SHA-256:	44DCA66A470DCCA1BF9E6C1F22B4FE2175C4D9E796884CDD61D8536F013416EA
SHA-512:	2F499C164DE92338874D6E1FD4FF790AD1083D71E3069E985B9E29800CDD4AF4340C56928C1AAD38F4ED69120F6A4BA747B8562BD6F01A09E7A58302D9545480
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l...l...l....i..l.......l.......l.......l.......l.......l...l..bl...l...l..m....n..m....l..m....l..m....l..Rich.l..........PE..d...<..].........." .....p...........w....................................................`.........................................0X..........h....P..H....0...............`...B..py..T............................y.................. ............................text...so.......p.................. ..`.rdata..R............t..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc...H....P......................@..@.reloc...B...`...D..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libfreetype-6.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	586240
Entropy (8bit):	6.4460699567644255
Encrypted:	false
SSDEEP:	12288:w7AvRbpuflWqWyhb/e+AUCnGqI3qoTF1OgfEWm:w7AWVhbm+AWqc5uZ
MD5:	42AB9DD5740879C8A0913047149D3A60
SHA1:	D117EF70D0100615B5D50FB555345545E823235B
SHA-256:	8E263FD9257E8E83BAFDA0C943184A498C07424C4D558321FDB48C9A197E58A4
SHA-512:	5C0656521815CB504A1E840FD0163B0EB10D6B7237DBB76C6BDBF66388111667FB1D4FE78C2BBE8D00D377CF150200142CE7E33CB5434960F69A77899322B417
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....j.....................j.............................p......d7........ .............................................. ..T....P.......p...:...........`.............................. @..(...................p".. ............................text...xh.......j..................`.P`.data...P............n..............@.P..rdata..p............p..............@.`@.pdata...:...p...<...F..............@.0@.xdata..(9.......:..................@.0@.bss..................................`..edata..............................@.0@.idata..T.... ......................@.0..CRT....X....0......................@.@..tls....h....@......................@.`..rsrc........P......................@.0..reloc.......`......................@.0B................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libjpeg-9.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	6.389441331010228
Encrypted:	false
SSDEEP:	6144:I7wNZIYb0maLgCaqrWqg7EdP8J1dJHoFaeghCbBL:I7we7gCaqrWqg7EdP8jpY
MD5:	C540308D4A8E6289C40753FDD3E1C960
SHA1:	1B84170212CA51970F794C967465CA7E84000D0E
SHA-256:	3A224AF540C96574800F5E9ACF64B2CDFB9060E727919EC14FBD187A9B5BFE69
SHA-512:	1DADC6B92DE9AF998F83FAF216D2AB6483B2DEA7CDEA3387AC846E924ADBF624F36F8093DAF5CEE6010FEA7F3556A5E2FCAC494DBC87B5A55CE564C9CD76F92B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...........................i.............................@................ .................................................................x............0.............................. ..(...................<................................text............................... .P`.data........ ......................@.P..rdata...J...0...L..................@.`@.pdata..x............b..............@.0@.xdata...............x..............@.0@.bss....P.............................`..edata..............................@.0@.idata..............................@.0..CRT....X...........................@.@..tls....h.... ......................@.`..reloc.......0......................@.0B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libopenblas.WCDJNK7YVMPZQ2ME2ZZHJJRJ3JIKNDB7.gfortran-win_amd64.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34369888
Entropy (8bit):	6.3382421612060815
Encrypted:	false
SSDEEP:	196608:fGLtguCargPguXVwK+UMidpW9fkSWweAY/CZoEeV8Vb13w6y1WftYk5kscxQfEGP:UksJf2OF
MD5:	1B45722EC0556E13EBA6DB83F383E692
SHA1:	A3BE5C6E4E92CCB250FA325A7FA4CBC35E9124F3
SHA-256:	BD94E2467FE06C5D13BACF7451E13EF18BB876A4E78493D7E9B7600835DBB0AB
SHA-512:	66DBA1F77BE1A1EC71195A7CFCA4612C4232C69AE7248FBCDE58F1A12060BF814F1CF274F6C50D51D82BB09AAD477C1741E1B1A3D50369588CEB01B708DB89B9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......_..........& .............z..0......... g....................................;/........ .............................................P..t................#...............H...........................Z..(...................(U...............................text...x...........................`..`.data...0..........................@.`..rdata..............................@.`@.pdata...#.......$..................@.0@.xdata..h!......."..................@.0@.bss.....z...0........................`..edata.............................@.0@.idata..t....P......................@.0..CRT....`....p......................@.@..tls................................@.@..reloc...H.......J..................@.0B/4......p...........................@.PB/19.................................@..B/31...... ......."...v..............@..B/45......M.......N..................@..B/57.....

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libpng16-16.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	210944
Entropy (8bit):	6.4218776738200525
Encrypted:	false
SSDEEP:	3072:VatMOImapxER0/vnm2mjq61IJJT1fX0yuWUQstxZw2TnzFEY5IQ:VatMOImapaR03nmnYJV1cjtnwunw
MD5:	3A26CD3F92436747D2285DCEF1FAE67F
SHA1:	E3D1403BE06BEB32FC8DC7E8A58C31E18B586A70
SHA-256:	E688B4A4D18F4B6CCC99C6CA4980F51218CB825610775192D9B60B2F05EFF2D5
SHA-512:	73D651F063246723807D837811EAD30E3FACA8CB0581603F264C28FEA1B2BDB6D874A73C1288C7770E95463786D6945B065D4CA1CF553E08220AEA4E78A6F37F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....v...4.................h.............................................. ......................................`..........H...............0...............\|........................... ...(...................................................text...hu.......v..................`.P`.data................z..............@.P..rdata..`V.......X...\|..............@.`@.pdata..0...........................@.0@.xdata....... ......................@.0@.bss.... ....@........................`..edata.......`......................@.0@.idata..H............&..............@.0..CRT....X............2..............@.@..tls....h............4..............@.`..reloc..\|............6..............@.0B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\libssl-1_1.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	689184
Entropy (8bit):	5.526574117413294
Encrypted:	false
SSDEEP:	12288:1SurcFFRd4l6NCNH98PikxqceDotbA/nJspatQM5eJpAJfeMw4o8s6U2lvz:1KWZH98PiRLsAtf8AmMHogU2lvz
MD5:	BC778F33480148EFA5D62B2EC85AAA7D
SHA1:	B1EC87CBD8BC4398C6EBB26549961C8AAB53D855
SHA-256:	9D4CF1C03629F92662FC8D7E3F1094A7FC93CB41634994464B853DF8036AF843
SHA-512:	80C1DD9D0179E6CC5F33EB62D05576A350AF78B5170BFDF2ECDA16F1D8C3C2D0E991A5534A113361AE62079FB165FFF2344EFD1B43031F1A7BFDA696552EE173
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......T...T...T...T...TS.U...TZ.U...TS.U...TS.U...TS.U...T..U...T...T.T..U-..T..U...T..uT...T..U...TRich...T........PE..d......^.........." .....(...H.......%..............................................H.....`..............................................N..85..........s........K...j.. .......L.......8............................................ ..8............................text....&.......(.................. ..`.rdata...%...@...&...,..............@..@.data...!M...p...D...R..............@....pdata..TT.......V..................@..@.idata...V... ...X..................@..@.00cfg...............D..............@..@.rsrc...s............F..............@..@.reloc..5............N..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\msvcp140.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	590112
Entropy (8bit):	6.461874649448891
Encrypted:	false
SSDEEP:	12288:xI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRkdQEKZm+jWodEEVh51:xD89rxZfQEKZm+jWodEEP5
MD5:	01B946A2EDC5CC166DE018DBB754B69C
SHA1:	DBE09B7B9AB2D1A61EF63395111D2EB9B04F0A46
SHA-256:	88F55D86B50B0A7E55E71AD2D8F7552146BA26E927230DAF2E26AD3A971973C5
SHA-512:	65DC3F32FAF30E62DFDECB72775DF870AF4C3A32A0BF576ED1AAAE4B16AC6897B62B19E01DC2BF46F46FBE3F475C061F79CBE987EDA583FEE1817070779860E5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........LS..-=..-=..-=.....-=..U...-=..-<.k-=.gB<..-=.gB9..-=.gB>..-=.gB8.=-=.gB=..-=.gB..-=.gB?..-=.Rich.-=.........PE..d.....t^.........." .....@..........."...............................................z....`A.........................................j..h....D..,...............L;...... A......(...@...8...............................0............P.......f..@....................text...,>.......@.................. ..`.rdata..r....P.......D..............@..@.data....:...`..."...N..............@....pdata..L;.......<...p..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\msvcp140_1.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	6.499754548353504
Encrypted:	false
SSDEEP:	384:rOY/H1SbuIqnX8ndnWc95gW3C8c+pBj0HRN7bULkcyHRN7rxTO6iuQl9xiv:yYIBqnMdxxWd4urv
MD5:	0FE6D52EB94C848FE258DC0EC9FF4C11
SHA1:	95CC74C64AB80785F3893D61A73B8A958D24DA29
SHA-256:	446C48C1224C289BD3080087FE15D6759416D64F4136ADDF30086ABD5415D83F
SHA-512:	C39A134210E314627B0F2072F4FFC9B2CE060D44D3365D11D8C1FE908B3B9403EBDD6F33E67D556BD052338D0ED3D5F16B54D628E8290FD3A155F55D36019A86
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.{.zl..zl..zl......xl..s...~l.....}l.....xl..zl..Ql......l.....il.....{l.....{l.....{l..Richzl..................PE..d.....t^.........." .........$......p.....................................................`A........................................p>..L....?..x....p.......`..X....:...A......p...P3..8............................3..0............0..@............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..X....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\core\_multiarray_tests.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	6.192836538611655
Encrypted:	false
SSDEEP:	1536:3lSGe/2iH80GUjTyKjT0k2MqIAP2u8vP0TU3s:Vh+GUjTybkpAPp8rs
MD5:	790FE3D0CE7EFA7ADCD93AE3607B26E8
SHA1:	C76A4F99FBCE99A63FB853EBF73F8DB1E2DF2946
SHA-256:	25A240D1217DF88CDF3A8E4A24A40D6B6D3ECC18FD2E33CDD0E84609B1F944E7
SHA-512:	14B469593353590AEF3F4904363DD13D80AD785833326BAF144CA484F231F7B1DA0152ABEF6A6BA1D725AD1D7B6989A1788222B370B5D99894CDD9D5773016B3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|..\|..\|...G..\|.....\|.....\|.*....\|.....\|.....\|.....\|.."..\|..\|.`\|.....\|.....\|.....\|...+..\|.....\|.Rich.\|.................PE..d......_.........." .....6...l............................................................`..........................................p.......q..................L...............T....Y...............................Z...............P...............................text...c4.......6.................. ..`.rdata..<4...P...6...:..............@..@.data....!...........p..............@....pdata..L...........................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\core\_multiarray_umath.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2769920
Entropy (8bit):	6.537308891583725
Encrypted:	false
SSDEEP:	49152:/M/cze8S47oWNoUvqUEwdr8yzux14CtFrTyz4/V:WjAqw
MD5:	9330A90D64EE9C286DEF485B7CEA59C6
SHA1:	2B2B8EE50F6D51856CC3A6AF53DAEB3E4DBA52D4
SHA-256:	4F1D6F33FF92E20B39A77BA3B7B92A5E7AD0AC75E8855DCA792F49635FAB41DA
SHA-512:	2DF93157A4623D48C9A4B742C7912D8DDE18DE5777CC689F412DAEDE9E3C7BAB5276DDB1D8034A30CAB174AB3A25F14EC58A219F6C3BA8C58F2E5AB7839817CF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y..x..x..x....x..y+..x..y+..xCP...x..}+..x..\|+..x..{+..xw.y+..xx.y+..x..y..xx.p+..xx.x+..xx....xx.z+..xRich..x........PE..d......_.........." ..........................................................,...........`..........................................".p...`."......P,........H............`,.4".... ............................... ................. ............................text...#........................... ..`.rdata..F...........................@..@.data...0.....".......".............@....pdata..H...........d(.............@..@.rsrc........P,....................@..@.reloc..4"...`,..$... .............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\fft\_pocketfft_internal.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	112640
Entropy (8bit):	6.177330572145835
Encrypted:	false
SSDEEP:	3072:LA/0iIoEsbAqVXfPkZpQd47ryh8J+s6dY+b6IDaY+Y:8/0SbAukZpQd47GK+HFF8
MD5:	3A33F279076E9800565CA8363B06C0DA
SHA1:	3D7EE1491BDDD80B3C4C850AB3B708D12D445F37
SHA-256:	72FBE745FC7F4D92820024B4FDF62F520A7F6E924D2817CE1728EBB059BB2D08
SHA-512:	51FB4434D7B934870AB1A23461444F7F97598365EA423CE143A5A3EB35045B3C8BF7D128544F5C537BFB80084441AA7DD0486637B44629CA005D0A40ADE3176D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RV...7...7...7...O...7..D_...7..sQ...7..D_...7..D_...7..D_...7...i...7...7.."7...^...7...^...7...^...7...^...7..Rich.7..........PE..d......_.........." .........8......d.....................................................`.........................................`...t......................T...............,...0...............................P................................................text...S........................... ..`.rdata..<........ ..................@..@.data...............................@....pdata..T...........................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\linalg\_umath_linalg.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	153600
Entropy (8bit):	6.419120291258942
Encrypted:	false
SSDEEP:	1536:CYlNH+NrvsGeowHRMfrdC8+43FxV0cVZpyd0Rse8SzNXw8Y4ngIBdWweH:CYlNSs9owHut+wFxV0K98nmgIBdhg
MD5:	E6CAA96C3F48EFE9CE3472F26B219562
SHA1:	20A50BE130C8E5C2A84E818CB31EA70FB94A835C
SHA-256:	77AA8BFF598695DE66A884CF9D8949A4BA6D6E2CD9FBBF690F2C81619DB50CD4
SHA-512:	90AF523F99DFC56CAB1816EC3E4A666CD9E1E1B14754375B923F4E0ACD8AEA6F14334463C66ABBA11FE44F67F4E0DE5E335E1DE6E12A738F96BC2D23202CF41E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O..............V=......F.......H......,.i......F.......F.......F.......p.......G..........q....G.......G.......G.......GQ......G......Rich............PE..d......_.........." .........v...........................................................`.........................................@-..h....-...............`..................p...p...................................................(............................text............................... ..`.rdata...=.......>..................@..@.data........@.......&..............@....pdata.......`.......>..............@..@.rsrc................T..............@..@.reloc..p............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\linalg\lapack_lite.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.530414151250272
Encrypted:	false
SSDEEP:	384:7FhVUSXgPqAEqjxkcHPA3mrrAnvx0cMYmhw:nVU2gPXjxDnonv4Ymh
MD5:	3051473794F5F8B157EF916D923D777E
SHA1:	96E2F8DFEFB9F62CB3E9169DCC42E66186112F0B
SHA-256:	ED298D41C9602CA2D7B76AE1F1F3BC04943DA737CEEFA3EFA622879790996841
SHA-512:	EF27D84E24BD5C1E49DB8507DD0948CC8B4C96817C135E360217F5008D741E48F7EBF3A011D4422DC636B866C8387C60A071E92FCD1C49936D057E88FFE7508C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f.j...j...j...c...h...8o..h....a..h...8o..a...8o..b...8o..h....Y..h....n..i...j...W....n..k....n..k....nx.k....n..k...Richj...........PE..d......_.........." .........(......d.....................................................`..........................................G..d...TH..x....p.......`..(...............@...PB..............................pB...............@...............................text....-.......................... ..`.rdata..P....@.......2..............@..@.data...h....P.......B..............@....pdata..(....`.......L..............@..@.rsrc........p.......P..............@..@.reloc..@............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_bounded_integers.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	238592
Entropy (8bit):	6.483806960130266
Encrypted:	false
SSDEEP:	3072:T0na8Au2nW0p9zutrqKU+Xlsmbbsgm7A+4oUxph/Vjzutz3A1TQysg36yt:Ia1nx9z4+w1sibb5X/VjmjwTQc6
MD5:	D99AF2345A02F03A1384B6E2CF5E470D
SHA1:	0B7F2E8416269C31C90D3050FBF11628B714A172
SHA-256:	A08B096A2FE82D807B99083F75473EFB9AEB90868F52C8C9A54DFF63ACD13DBA
SHA-512:	C878519670AFF0D102021FCCEF476905E61294EF7E557343380D35B545A753BB4CCB2C16A613BC0A709BE3377987769107513F444C46C16E62DAD6636777E717
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A.Y. ... ... ...X%.. ...H... ...F... ...H... ...H... ...H... ...~... ... ..3 ...I... ...I... ...I... ...II.. ...I... ..Rich. ..........PE..d......_.........." .................b....................................................`..........................................c......\|k..x...............................H....C...............................C...............................................text...C........................... ..`.rdata.............................@..@.data....5....... ...n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_common.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	178688
Entropy (8bit):	6.1540655505257815
Encrypted:	false
SSDEEP:	1536:2l2nUZt60F7ZVKAFbICNLDS7r01ngRnMA1ask7VcqKsljTuOaFb8+MFZgDXpcPCM:2lOG1vK2bICvyO+1kFJaFbJXpcPC
MD5:	C85312DF912E34A8FD4BDF336454ECC1
SHA1:	AF8A9D8ACE9A0D776CBE183A9D10A919044687B5
SHA-256:	FBC9FD657DF78DCE9313D8DC1834148AE73187300347FD1B82306052562BD6C3
SHA-512:	E619EADAABCC1D5AE287CA0EE1C2F1F5C8232C779A2375CE9FB2AD7CA0A07511188F8DEA42D3A8E0F47B2D04E59DEF8D7F131A94916308E4EB894E986B016519
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...........P.........................................X.........N...W......W......W.<....W......Rich...........PE..d......_.........." .....4..........d.....................................................`.........................................@q..\....q..d...............................H....]...............................]...............P...............................text...S3.......4.................. ..`.rdata...5...P...6...8..............@..@.data....K.......:...n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..H...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_generator.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	646144
Entropy (8bit):	6.316831567097614
Encrypted:	false
SSDEEP:	6144:ra4JYWEkB0sQbOn+aQWo+pWJ46dtjwT+SiSySxeiS+WXSMd5S5SyS/9SZSaSriSg:W4uobowWJDjw56xQrDRM0BsavJ
MD5:	E866BDFB77120B036DCF2CAC7405C853
SHA1:	8EE87BB0E91C9FCB7A6C1F971D115ED4DA8EE913
SHA-256:	30B7992723BDFAC4E4E54585101F356E4A2B816C4AA1B31E8D2E5255ACC50FA2
SHA-512:	4138935A96717F3935A571303643EB1CC529BC318EC4C15B7446E006ED6648AAFE74934412F9F45AD9FE25086F073755DB73C80F5952C131F49768D3F672905E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*c..n.{.n.{.n.{.gz..f.{.<jz.l.{..dz.l.{.<j~.b.{.<j..f.{.<jx.l.{..\z.m.{.n.z..{..k..k.{..ks.o.{..k{.o.{..k..o.{..ky.o.{.Richn.{.................PE..d......_.........." .........x.......m.......................................@............`.............................................x............ ...........%...........0......`................................................... ............................text.............................. ..`.rdata..............................@..@.data........@......................@....pdata...%.......&..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_mt19937.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	6.169423227466293
Encrypted:	false
SSDEEP:	1536:bSANk9+gY7gs5zcZ70V4vkWTWPgmdc0Dgs:bPkGf5IZ70V4vkWx0Dd
MD5:	6F3ACA71EA339374899CA9047B2B8E36
SHA1:	AEDFB30252679959CE40D3A3E8DB07A02BC827F7
SHA-256:	D5983C2F4A26C2DC671A92B5C4F7CB46C63844C502C30390670A5019A4125B6F
SHA-512:	918F3D37FE44EE76F5F4237EAE18C51178D0E964C51BA1230C17A08FF6050DD5A0B204E7C4480FF97D0183CB092A846C26C7945E8904C9CC6A2D08AF280035FE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..]<...<...<...5.L.8...n...>...Y...>...n...0...n...4...n...>.......?...<...........?.......=..... .=.......=...Rich<...................PE..d......_.........." .........~......d.....................................................`.........................................@...`.......x....`.......P...............p..x....................................................................................text............................... ..`.rdata...3.......4..................@..@.data....;.......2..................@....pdata.......P......."..............@..@.rsrc........`.......,..............@..@.reloc..x....p......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_pcg64.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65024
Entropy (8bit):	5.980786853285234
Encrypted:	false
SSDEEP:	768:R3Q13VEAjbJYEPT+7VKsoTVmsZm0aPVfI2AxvGzetNX2L+w9kZSjYcJ/YIqXcvPp:gVEUF+7gv6194YYcJ/Yeb17dAHPtC
MD5:	4BB9CE84AA35B45E5EE74FC13C9B42CA
SHA1:	F41E5E41E847EFF4C17EBE9FBF202AABE52BC80E
SHA-256:	1B31FB8C8F72A349F6E6301FA7B48D389E95D178398417CD9D013A46D4A4C8A5
SHA-512:	12B4B6039C43575A47FD34EB9DCC6E3206AA89872EC762E88BA5E42EF6C482470EC41E58CA662931F08608F5F668009D3CFEF2C9253A53C3B128E9B2AE373822
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..P<y..<y..<y..5.G.>y..n...>y..Y...>y..n...0y..n...4y..n...>y...'..?y..<y...y......>y......=y....+.=y......=y..Rich<y..................PE..d......_.........." .........l......d........................................P............`.........................................`...\.......d....0....... ..p............@.........................................................X............................text............................... ..`.rdata...&.......(..................@..@.data...H4.......,..................@....pdata..p.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_philox.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	72192
Entropy (8bit):	5.986508207434875
Encrypted:	false
SSDEEP:	1536:yIB2ic560kTG2nakT27hxiX0qWsr+1Gq:yK2ui0T0hxiX0Gr+1L
MD5:	12BA03FD5D6C0CA6E736BF9D6F6C4685
SHA1:	4F1B1BA887EC8B73A170D3CA5BD9D8462D8A70F7
SHA-256:	4D6A35E405FE7039C4B88C31F556B02F84326F7828238C78C7FF1892018B89C8
SHA-512:	489F8E33C0871CCB795D283180F6796E5CEB1E0CDAEF065EDA96839806D3EAE4461CB92E855882AEC6E0FE8CDFD9BD2781CF6B6140F846CE8256E2415C384D4C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..P<z..<z..<z..5.G.>z..n...>z..Y...>z..n...0z..n...4z..n...>z...$..?z..<z...z......>z......=z....+.=z......=z..Rich<z..........PE..d......_.........." .........z......d........................................p............`.............................................\.......d....P.......@...............`..L...@...............................`...................p............................text............................... ..`.rdata..z(.......*..................@..@.data...h@.......8..................@....pdata.......@......................@..@.rsrc........P......................@..@.reloc..L....`......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\_sfc64.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	5.860938878798157
Encrypted:	false
SSDEEP:	768:8cqkigR6k3uj+vBSipT24nzbO9Dgh9gqVVfIXgE2vilKUmZUBUcIrBobaHnJKcmp:Kkik3uyZx2p/nxicbWH+
MD5:	37F2DCA9964651933E341131C5BC8276
SHA1:	E6B12A435C836CD088F2840683C941276B7E532F
SHA-256:	C82BF2E1E90F0B293328C14F1F0B9811CDED0484C311F6DEB72E8C8A122E6104
SHA-512:	DE663548F0576F8A116011E099460A2580997A48394ADD17BE77904D4AE843761986A4DE0C19AF4C77E61C15B3797540B0161D6B9EDFB852BA5941511C952E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y..P=x..=x..=x..4.G.?x..o...?x..X...?x..o...1x..o...5x..o...?x...&..>x..=x...x......?x......<x....+.<x......<x..Rich=x..........................PE..d......_.........." .....\|...X......d........................................ ............`.........................................`...\.......d...............P...................@...............................`................................................text...3z.......\|.................. ..`.rdata...#.......$..................@..@.data... '....... ..................@....pdata..P...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\bit_generator.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	151552
Entropy (8bit):	6.100107488012804
Encrypted:	false
SSDEEP:	3072:fRAMv1X6aXfjCSqs+CILiNwS6Pi2+WarahcWhbZdFkSx2+WarahzZms3T:5RNqqfj+zCILiNkPi2+Warahc4FkSx2f
MD5:	2EF183E96EF80BB399627A24C063D94D
SHA1:	255A8B634CBCF45AABE81ACFF019F4C93E4FEE53
SHA-256:	6C15E698421E952FF9B4CBFFCD3797E56E1BE694BB01B652D816835B9A2A46BD
SHA-512:	841FB9CDA82DAE341B4D6FD94A69BA7D22085E22766351B70FF754C8D4D8F39BF00806D36F45D7DD43C54965F075034D9E85B4C57F8A97C6F1151ACAD93B9B06
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...........p.........................................X.........7...W......W......W......W......Rich...........................PE..d......_.........." .....p..........d.....................................................`.........................................0...h.......d....p.......`..................$....................................................................................text...so.......p.................. ..`.rdata...K.......L...t..............@..@.data...........x..................@....pdata.......`.......8..............@..@.rsrc........p.......H..............@..@.reloc..$............J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\numpy\random\mtrand.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	561152
Entropy (8bit):	6.202499551459795
Encrypted:	false
SSDEEP:	6144:fh36m8oc7i1j9Pr/cDo+KjJQuSxSISPw+SeWkSOKTSpSPuSx+SzS5SQS7SQSKStP:Hxr/pV6oYWLfrHV/NoPNhC1
MD5:	5C13C535D5E3F2A1459A78AACE6D9562
SHA1:	626257B38B53FB715AB2D8121A2F7C45485E2A6A
SHA-256:	0D947A90CAEC87DA431786274B6C4D9F1AE47A28E63209B61551F86EB3D25C2A
SHA-512:	AC5ECD385F7D83C23188A090EB70792669CC3A8C30C07B4B527A5CB8327EDE3E183973F69FA9A8F0B608D02674571750C2E564CBB3DF02BD616CDDE7B32A9946
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x.]<...<...<...5.t.8...n...>...Y...>...n...0...n...4...n...>.......?...<...........?.......=.......=.......=...Rich<...........PE..d......_.........." .....B...j......d.....................................................`.........................................0...........x...............................0................................... ................`...............................text...CA.......B.................. ..`.rdata..L....`.......F..............@..@.data...0...........................@....pdata...............j..............@..@.rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pyexpat.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	202768
Entropy (8bit):	6.312695764898477
Encrypted:	false
SSDEEP:	3072:nT3d9F9j+gUPNDoqAdeEaUwExv0yOWIkPQXLBLBtpug8FGty+auDomdI8VhHF:jHF1+gUP8deIwEXLIfLB6g8FGJauDom7
MD5:	6500AA010C8B50FFD1544F08AF03FA4F
SHA1:	A03F9F70D4ECC565F0FAE26EF690D63E3711A20A
SHA-256:	752CF6804AAC09480BF1E839A26285EC2668405010ED7FFD2021596E49B94DEC
SHA-512:	F5F0521039C816408A5DD8B7394F9DB5250E6DC14C0328898F1BED5DE1E8A26338A678896F20AAFA13C56B903B787F274D3DEC467808787D00C74350863175D1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[c.4...g...g...g.z\g...g$\.f...g$\.f...g$\.f...g$\.f...g.\.f...gDj.f...g...gq..g.\.f...g.\.f...g.\0g...g.\.f...gRich...g........PE..d...}.:_.........." .....$...........".......................................P............`.........................................P...P............0...........#...........@..........T...........................P................@...............................text....#.......$.................. ..`.rdata.......@.......(..............@..@.data...............................@....pdata...#.......$..................@..@.gfids....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\_freetype.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	78336
Entropy (8bit):	6.204869863327296
Encrypted:	false
SSDEEP:	1536:VhqhAKcrR/8x06ycBTBaqyuNSrfX8C+0C26cY0X86wSV:LogrR/i06ycBAWETm26cY+xw
MD5:	9965789309173A830BFA9A077FF74620
SHA1:	7E0E0E57DB8F6A35451C8A07F7E01D30C0A7D4BA
SHA-256:	AF0D34EFB97F7F919660BF3F072CD05619044D52443BB7D6A15DA46A3056E123
SHA-512:	BED36C241DDB990777D26C7C66DBAE2C4FB5FDB073F6229FB355BD602E3FB72F25C7AE01405C768B6DD3D5FDDF8E11211A788757F3CCF40D1B02874ADC71D7DB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................i.........................................v.......P...................l...P......P.......s.......P.......Rich............PE..d....?.a.........." .........~...... .....................................................`.............................................`............p.......P..L....................................................................................................text............................... ..`.rdata...V.......X..................@..@.data...p....0......................@....pdata..L....P......................@..@.gfids.......`.......*..............@..@.rsrc........p.......,..............@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\base.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30208
Entropy (8bit):	5.679638168280965
Encrypted:	false
SSDEEP:	384:mVYWfe3eY7ucEbN00V4X77JL87z0bCtmmRWXQqO5SK14dhi5a7H0EovKsOlAPdQl:mVpDifJ9sSfbdHGwlbzaI3AOAo
MD5:	6957DFFAAECDD72D6104C2927AA58B48
SHA1:	6ACAD377363BE0CC8F7F01115800004A59C9EDAE
SHA-256:	649355AB92FD24B53CD93C032D82ACD8CD4DB0E34828FCEF727B7B088986096F
SHA-512:	F2A01FADDCDC2AE617CCCCD7E6070F277165929826716E6BDB6038494943D7DD9778AA12CB5ABCE41C1F70D779557AB28B3BB49D2D45D0FC99E8A0D9FCA33121
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3^.OR0.OR0.OR0.F*..KR0.t.1.MR0..:1.MR0.t.3.MR0.t.5.DR0.t.4.ER0..;1.MR0..'1.LR0.OR1.%R0...8.NR0...0.NR0.....NR0...2.NR0.RichOR0.........................PE..d....?.a.........." .....>...:......PA....................................................`......................................... g..X...xg..................................d...p^...............................^...............P..`............................text...C=.......>.................. ..`.rdata...#...P...$...B..............@..@.data................f..............@....pdata...............j..............@..@.gfids...............p..............@..@.rsrc................r..............@..@.reloc..d............t..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\bufferproxy.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.170811425002114
Encrypted:	false
SSDEEP:	384:newY0rxsa3Cl+38Y5f+0TvTf7BCcMRU8:ewjGzWrWa
MD5:	8135AC817358F25E5CFB4339FBCB1F48
SHA1:	C275AA3339F64C8B4FFB3910B786D1CB293FB51B
SHA-256:	33DB4178156A6EA158CDA0EF3292B331747BFC198556151A4B0581113DEBD5F0
SHA-512:	F125CE9E56351AC3B0BA5FD25669AFA12AE5592F6DC716899599B77E4C0F90E9F2A77D59C54C0E78D78E1D1F7B441B0479813F86DDD58FDA1727EE381D49CECC
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................\................................................"......"........0...."......Rich............................PE..d....?.a.........." .........,......p!....................................................`..........................................<..d...T=..d............`..H...............l...P7..............................p7...............0...............................text...c........................... ..`.rdata..r....0......."..............@..@.data...h....P.......8..............@....pdata..H....`.......>..............@..@.gfids.......p.......B..............@..@.rsrc................D..............@..@.reloc..l............F..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\color.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	5.73802357017814
Encrypted:	false
SSDEEP:	384:czCH4hXynBaXFm8ztqAOpBD0Qr7rL2rYZr4cYhIYm5CJuw+Tais8z51YcaBhtKBu:qHXupBD02/pYhj+Tais8zgRkfjItDXN
MD5:	0B4838DB9B4E3AE820F25CC9DA70A4D2
SHA1:	253C3D775610D361747DCDE71CAC6D03D6074965
SHA-256:	B6C633094F99FD261F48F9CA9D4ADDB538EA159D0D8BF16089D304402F5BBA4C
SHA-512:	16B73F564E5744938CE9775AD8C5E63B48BDB0609CB54B39A65B030FF1B373C4FF6D05AFCB268D100501969FE4FF9773C1780EDD85F4B5BB581DA4DA4E6B73FE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V..............C............................................$...............................!./.............Rich............PE..d....?.a.........." .....L...B.......N....................................................`..........................................z..X...hz......................................Pm..............................pm...............`...............................text....J.......L.................. ..`.rdata..F%...`...&...P..............@..@.data................v..............@....pdata...............~..............@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\constants.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	5.274247290628612
Encrypted:	false
SSDEEP:	768:jIM9yfKTjm60ahCUCZ/2gPz5/+y2y4nUgb/VyEIc7taN38rw:99yfKTjm8hbK/FPzEnIc7taNm
MD5:	A04FF6997A13DE095BA1C3CF4DD9103E
SHA1:	F7F9CA2C202162774FE86F93B09ACD2EBF2F5601
SHA-256:	0449FC696397091D4AB7119A4F40A118C022C6F0736A3BA79DD896A7111E7A7B
SHA-512:	4E0AF59DC1B0D758A7A810D37854522B0B219E425A48690451320F4D60B3AD5A71817B2874B368D252EC9FA107D9D32B78342707D0F3858A9EE79B2181008828
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.K..K..K..3..K.....K...#..K.....K.....K.....K..."..K..K..K.. ...K.. ...K....t.K.. ...K..Rich.K..................PE..d....?.a.........." .........>......p........................................ ............`.............................................`... ...d...............................0...0...............................P...................8............................text.............................. ..`.rdata.. -..........................@..@.data...............................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\display.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44032
Entropy (8bit):	5.783700908556658
Encrypted:	false
SSDEEP:	768:xLapST8QYqxxALGvMCf6hPOHTQAaZh1JnqnwX1hWbg:rT8ap7WOeZhv8ajeg
MD5:	580E19C9A9D58B9EDC2722402CCE4974
SHA1:	7D153FD0EAEC9C3549EFFDE38E9F26F54EE64774
SHA-256:	1A5D2C1379855466463586B49BC61B78C2E2F7C6B3E8ABA2AF99D149BCBCFDB2
SHA-512:	C3081A8B4F54C7D54918F01AE76616DDB3110C90884DE2561630C4387012DB5BA09A928349492ACE525687568C13BCB0D0770CD86EE187315301493925D810A6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.....p...q...p..q...p...s...p...u...p...t...p.(.q...p..q...p...q...p...x...p...p...p.-.....p...r...p.Rich..p.................PE..d....?.a.........." .....V...X.......Y....................................................`.............................................\............................................................................................p...............................text....U.......V.................. ..`.rdata...;...p...<...Z..............@..@.data...............................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\draw.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	6.099628652524892
Encrypted:	false
SSDEEP:	768:u9jFnfN/dACKdHg22tWi7/ogt1kHIMiF2Z3cmP+zZzFqzrYrsG:AVWVzoWi7/ZkHIMicXX0IG
MD5:	6C3AAD01782CFB0A31A752E40F2010C8
SHA1:	FA72B534991202C7AA17FAB4B7A13CD7A0D07C65
SHA-256:	33E7E6ECE451C0762D174E843AEF5B05147EC09DFF6684EAA7801C0EE86831B6
SHA-512:	7D6FCA733D18CE6BF1BDCBAEDCFD3F34376644A63CA0B29EADECE7CD428D50F0699696A049AE0D5AA0310B9E566CA0E6EACF6BE33BEC4EB0AA32EC1A52117646
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z..............e.........................................h.......................N.......N.......m.......N.......Rich............PE..d....?.a.........." .....~...B......@.....................................................`.........................................0...X...........................................p...................................................@............................text...S\|.......~.................. ..`.rdata...&.......(..................@..@.data...............................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\event.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.665174203175519
Encrypted:	false
SSDEEP:	384:bgkujLBgOY7h3dsAj2jKF7gFkEIHsJfgB0rWNJ6jrkfc75tNU1JDmSov1ZeH/ax8:FuB413iXKR4piu6H/s9Cm1u
MD5:	49837839686BBC2E230A216454A76A56
SHA1:	F4D34957BB75B12ACC778299B193FE2E8EEF789F
SHA-256:	BC14621B41528937C5AA5F5400874A3AF581578709323DB04884A622826EC849
SHA-512:	814AB72985175F48F886C1EF3D6F82BE1B8FC9F3A0C88CC9792AB1BD3D14575DF760FF96E6DE56047D5A6679A9F58155A7E4C41F9F5EE4B1BD2332FE4C6376E8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.^.L...L...L...4w..L.......L...$...L.......L.......L.......L..{%...L...9...L...L...L..]....L..]....L..~....L..]....L..Rich.L..........................PE..d....?.a.........." .....Z...F.......\....................................................`.........................................P...X...........................................P...............................p................p...............................text...SY.......Z.................. ..`.rdata...*...p...,...^..............@..@.data...............................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\font.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.3407998299229
Encrypted:	false
SSDEEP:	384:1x2nVIdaFQqwXS7qCVjFuRtPE840dvihm2uhAfGsuRoIBIArACDcMMg:14YqwXclVjYRvWuu+dEc
MD5:	B5951DEFAA7E26060BC045F85D23FA1B
SHA1:	0F53D11836C2B97230B01668348B6A99802653A6
SHA-256:	846C657C34FD07C360542ED3D78F7782C8D32FC257888ECB5713E40678437C46
SHA-512:	D4747A831F09AE2AF02D7EEF3A2B911CC9F40AE07171B4D104F64C52FDA968CC57D4836D541C05109AA560C1FB9D6620597F8551F7FC87850EBFD3B6E1DD89A8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.{.M.{.M.{.v.z.O.{...z.O.{.v.x.O.{.v.~.F.{.v...D.{..z.O.{.D...I.{...z.N.{.M.z...{...s.L.{...{.L.{....L.{...y.L.{.RichM.{.........PE..d....?.a.........." .....&...:...........................................................`..........................................T..X....U.......................................M...............................N...............@..(............................text....%.......&.................. ..`.rdata... ...@...".................@..@.data........p.......L..............@....pdata...............R..............@..@.gfids...............X..............@..@.rsrc................Z..............@..@.reloc...............\..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\image.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	5.791014923696717
Encrypted:	false
SSDEEP:	384:XL4Ltxxz1ugXX2AFovzngbdn17Rpk8mqk+AkB/66RT5ScAwWA7WRwh/TJ1XKcNmb:cBFFqLm1TbRoDwWA7WRKFrmb
MD5:	6F33F326BA1F9A076C5B0A29B4356438
SHA1:	7A5F6924DE9385EE1DCC23FF1D790F1D700F9496
SHA-256:	E136586B6FA61E6F734EF130C8EAF3E1C133A438F2F32816D05037BB682961D0
SHA-512:	D03A811455AD36893600D9FADBB468808667B17AE615F4154BE707BE579ABDF7C3CBCE19C1871F069E290ABF0C48869EAFB9E565316207D2086692F46110B446
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3'..]t..]t..]t..t..]t..\u..]t..\u..]t..^u..]t..Xu..]t..Yu..]tl.\u..]t..\u..]t..\t..]tJ.Uu..]tJ.]u..]ti..t..]tJ._u..]tRich..]t........................PE..d....?.a.........." .....>...2.......A....................................................`.........................................Pb..X....b..................H...............d....[...............................[...............P...............................text....=.......>.................. ..`.rdata..d....P.......B..............@..@.data...H....p.......`..............@....pdata..H............d..............@..@.gfids...............h..............@..@.rsrc................j..............@..@.reloc..d............l..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\imageext.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.3288808221207145
Encrypted:	false
SSDEEP:	384:hipEV3sRR7L9V6MJX9TgedamfBtCX4Zp1DmV4gevhzdcLLc7iz:hKEViRzQyzC4D5mV41dcqi
MD5:	BBCBEE70AD4C438CB6340CED73883521
SHA1:	E31A352986963AFFE0E7DFA754F0ED87B9908F53
SHA-256:	75FD74BEA42276DB6BB468851098A96EE0C76379003F0C9CC7A13C0C9DF07122
SHA-512:	7554A258F9C19C56D53D52BAD7CB07EA5C1A3CD9771301E9854C47D46F981D9D64351483A5FF3B9AA2B28F74CFC806C99218DDB074DE29DBB85BFECA6547E0C3
Malicious:	true
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........._...................................!D...............................................................................\|............Rich............................PE..d....?.a.........." ....."...,......P%....................................................`..........................................L..`...0M...............p..................<....F...............................G...............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data........`.......@..............@....pdata.......p.......B..............@..@.gfids...............F..............@..@.rsrc................H..............@..@.reloc..<............J..............@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\joystick.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	5.2928685167428196
Encrypted:	false
SSDEEP:	384:ND4c5eVL5VkHPRU13wki2sn+1jbZ4/mb1cMmmmM:Nb5Gt13wkiZ+1u/mf
MD5:	3366202C1EEF51F56E5C26CE31304FA2
SHA1:	413F6AD2E7BEB4823045952961A93F1837B04B2A
SHA-256:	9EC6E0A077BCAD6E67EF9CF0D465749FFD714248ECE25A48BAB065781D11E5AC
SHA-512:	F89A3CE5BA6A40D464317C9B3B72F9342C99B2331AA9EC23CF0D12990A7B847D2F4A9CD7FAA8E945ADF492D85DF39315B58B605C2026F744137B1779BC43B76D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..F..F..F......F...G..F..G..F...E..F...C..F...B..F.s.G..F..G..F..G.F.U.N..F.U.F..F.v...F.U.D..F.Rich.F.........PE..d....?.a.........." ..... ...2......."....................................................`.........................................pA..`....A..x............`.......................;...............................;...............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......@..............@....pdata.......`.......F..............@..@.gfids.......p.......J..............@..@.rsrc................L..............@..@.reloc...............N..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\key.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	4.885516034084412
Encrypted:	false
SSDEEP:	384:8rOTgL3DaLkKNrpcVVYMdFuTwgukAtyDT1/vcMABYStqaM6Krt:aLMi7Cwtextohqr6I
MD5:	066A526CB1D816664C2B6A40AE437D72
SHA1:	8899390E5FB6490813C3AF2E3754A213190E3E3D
SHA-256:	E89FBEC8BD486D708A49725C5158C2A748D24BBCA673CB3C906439806777718E
SHA-512:	F2D7DC9303402B83458C47D858E27060DA5933DEA194A1421CCF39AC41DE8AFE877F2DD86AEBC2F4B175C15B7A8DB1E136B116B417341C06F99254E86CDD495F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f..f..f......f...g..f..g..f...e..f...c..f...b..f.t.g..f..g..f..g.f.R.n..f.R.f..f.q...f.R.d..f.Rich.f.................PE..d....?.a.........." ....."...J.......%....................................................`..........................................X..T...$Y..x...............................@....S...............................S...............@..0............................text....!.......".................. ..`.rdata...!...@..."...&..............@..@.data........p.......H..............@....pdata...............\..............@..@.gfids...............`..............@..@.rsrc................b..............@..@.reloc..@............d..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\mask.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56832
Entropy (8bit):	6.188213197887492
Encrypted:	false
SSDEEP:	1536:9ALYaiRq6PZda5jU2zsR4dOKiXUVmBIhbXjDEyHkljcc:9ALYbQ6Pq2P4dOKiXUVmBWXjIyHklo
MD5:	15852767AAB165A1C8FB77ABF6C02F3F
SHA1:	A581AA0338A6D3F4D8301FB3A7C7D3EDF2FCA980
SHA-256:	059142E9690EF8319E27CDF0EF1377D7C7940C83FB6EEEB3D77F6F44919C80DB
SHA-512:	61DB1EAE69B8AF304DEC528A95E56B598FD343184EA112487BA4268722A13A2D17ADCFCA58E33FF2C9FED2A4B69FDD10AEE2D4EF7A41522091005154923B8CFD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'..Xc...c...c...j.t.e...X...a...8...a...X...a...X...h...X...i.......a...6...`...c...2.......a.......b.......b.......b...Richc...........PE..d....?.a.........." .........N......`........................................0............`.............................................X...h................................ .. ....................................................................................text...c........................... ..`.rdata..4........0..................@..@.data...............................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc.. .... ......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\math.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.986686387118695
Encrypted:	false
SSDEEP:	1536:6OdMMdcUIdLd9t2tFU/8O6nKMGCnq3dbiRr1CH:hdcUMLvMtFL7KMlnq3dbiRI
MD5:	94D6D00B92A6C8BB7FC7A967B189B0F6
SHA1:	D9C2CABB073CD26A0BB59FED9DAFA84C9CD00044
SHA-256:	01CE02EDE8DBBD5BB9665FE9A01A3F25F1B560E745B13BEA6044E93F728FCB9D
SHA-512:	6B0505210489980335015EF925D82A42C87F5C71092C2399E58ECE1B12B24C89778B4864D3C8CC7CFA0359F976B8C394D8F3EEE0744EDA94567DD7B8F769171D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..Uw...w...w...~...s...L..u...,..u...L..r...L..\|...L..}.......t...w..........v......v.....s.v......v...Richw...................PE..d... ?.a.........." .........~...............................................`............`.........................................p...X.......x....@..........h............P.......................................................................................text............................... ..`.rdata.."I.......J..................@..@.data...............................@....pdata..h...........................@..@.gfids....... ......................@..@_RDATA..0....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\mixer.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.658295348751267
Encrypted:	false
SSDEEP:	768:oGrr4779GIItgzU/HftuysPesmSUf+SCd:/HteOHfIysPes9UWd
MD5:	E8E827FA0F2A1E519E02173A3275556A
SHA1:	2BD4A884A302DD21DB06A33FAB7DD2307C1BA77A
SHA-256:	C8509D96B07FD913CA4BE44156C6516A9C5B0F962DFE7519DB7A282A24B6A877
SHA-512:	2EFCB44C718A0ADDE7C2FF5915FBE6770E298392FB6E0DEBD917E8A89993FE39F7495C84197252F927B36CEE88C9E8EBCFAE678C65A3D8C0AB7E55786A3D5150
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................1...............................,.....U>........................).].........Rich...........PE..d....?.a.........." .....B...N......pE....................................................`.........................................0...X.......................................T....x...............................x...............`...............................text...cA.......B.................. ..`.rdata.../...`...0...F..............@..@.data................v..............@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\mixer_music.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	5.321389308193211
Encrypted:	false
SSDEEP:	384:PqvuUSXhqrH2CaBzR8nqAaTvVtEG8cNwniCU:JZT8ncvVtEy+U
MD5:	F0FFF37B28CD80E1138B0D1DAE12826C
SHA1:	0D98044DE21C2C2F31784F031640E86F25E857EA
SHA-256:	4635C4F9E594740DEFCA85097266D59573C6B028C6C09E46FFC23098F49A431E
SHA-512:	7215562D0052C7D8A2EB3F0CAC16146A367FCBE48FB1A85043A8B1F55CB9D44BC8D7B22C6652E4CE44F385A092E48FEC14A5BF5AE8C6DA0DCFB6C90EFE8C5035
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........G.zO&.)O&.)O&.)F^*)M&.)tx.(M&.).N.(M&.)tx.(M&.)tx.(D&.)tx.(E&.).O.(M&.)T.%)M&.).S.(L&.)O&.).&.).x.(N&.).x.(N&.).xF)N&.).x.(N&.)RichO&.)........................PE..d....?.a.........." .....$..........p&....................................................`.........................................0P..d....P...............p..T...................`J...............................J...............@...............................text...c".......$.................. ..`.rdata.......@.......(..............@..@.data...x....`.......B..............@....pdata..T....p.......F..............@..@.gfids...............J..............@..@.rsrc................L..............@..@.reloc...............N..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\mouse.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.213980760489755
Encrypted:	false
SSDEEP:	384:m4n1F8UOM95wBZ1rFtMtxtn4TdhT3L/cMrAU:m4n1F85Myutvczhr7
MD5:	4B8C2DB25033F681BA99A5CDFE218E97
SHA1:	C201863728E1BE3199E3EB5C7EB5591FA1472240
SHA-256:	3098B2D9B751F6F5AD2A91EEC9D8C82F32F37A69C168A2E2C384B30633DA1289
SHA-512:	01D0AA4377921F613F59078DA238C9D66749134715D7D1A57B73FAA744493E9B0D5270484F17D6CCB2695F235F3C5E5271B4EF7F627D69A674B5CBAE9B6B3B02
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3^.OR0.OR0.OR0.F*..KR0.t.1.MR0..:1.MR0.t.3.MR0.t.5.DR0.t.4.ER0..;1.MR0..'1.LR0.OR1..R0...8.NR0...0.NR0.....NR0...2.NR0.RichOR0.........................PE..d....?.a.........." ..... ..........."....................................................`..........................................?..X....?...............`..................l....9...............................9...............0..`............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......>..............@....pdata.......`.......B..............@..@.gfids.......p.......F..............@..@.rsrc................H..............@..@.reloc..l............J..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\pixelarray.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	6.064596577114034
Encrypted:	false
SSDEEP:	768:yVp+JVksLW5k4flLN9DgDMEm6lqM78wkPCRZ7UmTlWHQaLCKU2ra76Z+iJXH/wHR:Up+cD8MMq48UbUdKKi6Z3oH
MD5:	6E769E1EA4700A57CA598447072416CB
SHA1:	3419DE4C948A983ACEB93CAC20C5A9EC6DD2A809
SHA-256:	80D0E26C4555617CD346AD50072277D3451376FF6AB02F0980004E3DB21E41C5
SHA-512:	C5C3EA5617F75B23A96355849AE7799F8A3C8865BD27A33D14E79D2ABA0754D29524630B2C16B4599699C927F9F32C795DD151E0B0CFCEE0B1E9E1369AFC0C9F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z..............D.........................................h.......................N.......N.......m.(.....N.......Rich....................PE..d....?.a.........." .....t...@.......v....................................................`.........................................@...d...........................................@...............................`................................................text....r.......t.................. ..`.rdata..:%.......&...x..............@..@.data...0...........................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\pixelcopy.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	5.761453811981597
Encrypted:	false
SSDEEP:	384:TPQtj2J1h1LU1HYJ0U4QTg/4p0Np4QEMBnFRjTfL7cMynJ:TPQtO/1LRLIXnLrVy
MD5:	49477E3298A73ECA10DFD1F48AAE8758
SHA1:	501F2D4EBEF4200A637504478787D3BB5007A08D
SHA-256:	F933C41E923D885D2AF0368960DB3B814EB15CCC3DC9560E8796D4292CDEFE25
SHA-512:	34EF9AEA9D5E571A4A96BBC47074EA2E612FFAA74BE0D1C661174854A58F740E1C9A77E6A57831A7E3DFD6BC01EA6412F21DE6F934A417E6CD8C944D705C523E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................^........................................H......................n.......n.......M.2.....n.......Rich............................PE..d... ?.a.........." .....:..........p=....................................................`.........................................@d..`....d..x...............................@....]...............................]...............P...............................text...c9.......:.................. ..`.rdata.......P.......>..............@..@.data...h....p.......Z..............@....pdata...............\..............@..@.gfids...............`..............@..@.rsrc................b..............@..@.reloc..@............d..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\rect.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	5.688408458159711
Encrypted:	false
SSDEEP:	768:qlyQ1yzflz2H+xYeD5uRFc7DYendUdvmy:xDlAoTUd+
MD5:	002124478CD478C6492C3EEB4E3D598C
SHA1:	0729E154BA55A45B02393B8EE3CD1E287B721DDB
SHA-256:	D2BFC8563BB5C1D7C73E727F13D3A8B5A41B32415087EE60BDD70A9945428D2B
SHA-512:	4E56D49ED824B9B9FA02AB40017805B4F38E62E2A04998FCF79043B6600A2DE2905BEAC10CB1D8E810376BA7EF10E491894E247C4510FBD7924E484C7E050ADC
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3^=OR0nOR0nOR0nF*.nKR0nt.1oMR0n.:1oMR0nt.3oMR0nt.5oDR0nt.4oER0n.;1oMR0n.'1oLR0nOR1n.R0n..8oNR0n..0oNR0n...nNR0n..2oNR0nRichOR0n........................PE..d....?.a.........." .....J...H......0M....................................................`..........................................\|..X...8}..................................t....r...............................s...............`...............................text...#I.......J.................. ..`.rdata...&...`...(...N..............@..@.data...P............v..............@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..t...........................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\rwobject.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19968
Entropy (8bit):	5.290419159050352
Encrypted:	false
SSDEEP:	384:Sw8SAsxJbWakMKhoYaVYfJMqdop7GvmmkSCFcNQX:r/HkMmE7ok7yQ
MD5:	DC1BC1AABF560371D7E5BA827CF8CDBE
SHA1:	7C565B88C20F0BFD1C6410A14FEAE1676251F2BB
SHA-256:	21641F109D40187A0D4EB83AE170034F7186F8C3329DF09EBAE9CC7C1C465078
SHA-512:	098616473F13B98ABFF65D32ABDA83F601FC3E65CBF673EC4518EAA383CE199F4BC5F45E026582C83D5DE4C400CFB5EEC0ED58CD6A424634E27528D6FE0378D8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................,............../Tx...................&................................#.@...........Rich....................PE..d....?.a.........." .....$...,.......&....................................................`..........................................N..`...`N...............p..................@....F...............................G...............@...............................text....".......$.................. ..`.rdata.......@.......(..............@..@.data........`.......B..............@....pdata.......p.......D..............@..@.gfids...............H..............@..@.rsrc................J..............@..@.reloc..@............L..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\scrap.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	5.244515673174077
Encrypted:	false
SSDEEP:	384:GsZ9ciXBAQoBQo3HVtdsDKeJRnQTt/gZTheucMWqM5K/:H9ciXBY3AFDNtVWvE
MD5:	31EDC06FCBAA1FEC5AC049AF8432C05D
SHA1:	275BF6E0716F91E90EC7A26098EF12437CC48342
SHA-256:	7B5934C10123FB5CB635984D38B29AD2BEF8E6FDCBF589C34AE1E7A095E8C680
SHA-512:	B6DAA4F56722FB3B33807326FB07EDD6A4E1A30C4EFA1A2D8B539F05A9BAFB8B0E2A774F38A084943AA5CE4BDED7C9B3E98BD82B7934CB5492DE73664A5CEC7A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........SC.n.C.n.C.n.J...E.n.x.o.A.n.x.m.A.n.x.k.I.n.x.j.I.n..o.A.n...o.G.n...o.@.n.C.o...n..f.B.n..n.B.n....B.n..l.B.n.RichC.n.........PE..d....?.a.........." ..... ...,......."....................................................`.........................................P>..X....>...............`..................X....7...............................7...............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......>..............@....pdata.......`.......@..............@..@.gfids.......p.......D..............@..@.rsrc................F..............@..@.reloc..X............H..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\surface.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	220672
Entropy (8bit):	6.3783596774039815
Encrypted:	false
SSDEEP:	3072:QAqOctGdEqVJ//lkjkVk+k9mPmVmTgFcIzMDnZE7:COcuJ//lkjkVk+k9mPmVmTgFcIQDnC7
MD5:	844FF6F5FE453C45E01C922241A9EFC0
SHA1:	4F888AF9CE2BA63286434439A9F275260199F1F6
SHA-256:	4730D706D887DBB74CE835B8C8EAD47AE7CFE1A5EB8D29F50A8D63E9CFFA5CD1
SHA-512:	8D9694D6202289A6566BC83C2DF0EC6ABF855EE23313A73008002BB570D89AEE3BE3A3A0F9318690EFB3081FDB50A16BFEA984979CD76AED95B66C19A51774E1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5..q...q...q...x.z.u...J...s...*...s...J...s...J...{...J...{.......s...$...r...q...........r.......p.......p.......p...Richq...................PE..d....?.a.........." .........j......P.....................................................`.........................................0I..\....I...............p..t....................:...............................:...............................................text...C........................... ..`.rdata...G.......H..................@..@.data........`.......B..............@....pdata..t....p.......L..............@..@.gfids...............X..............@..@.rsrc................Z..............@..@.reloc...............\..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\surflock.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	4.748836333842975
Encrypted:	false
SSDEEP:	192:ds9WS9oDgVvpqPrtDmhRvPo24ekyPosKKFAgXU/ZMc6zG:K9t9oDgVBSQhRvsekyoKFAicM3
MD5:	FE35671133B52A43C9A4E3466115CD4A
SHA1:	5F28BCB373FDA9B2EC3EDBC32A0B04E1C41FAEED
SHA-256:	AFAE791424C4B124FBA2F47971FFBDA06CE234CC768EF70E9D91BD3E50792A7A
SHA-512:	23D2C69366FD17CE43D84D5C98C11DBCCCB7B923D9D364A7672FA5DE8E3C1E0591BE5E9BB7481017382218160327D6AB77EB0646887879484338E0C962E73116
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y1...P...P...P...(...P..&....P..F8...P..&....P..&....P..&....P..9...P..H%...P...P..+P......P......P......P......P..Rich.P..........................PE..d....?.a.........." .........$............................................................`..........................................7..`...08..x....p.......P..X...............,....2...............................2...............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......(..............@....pdata..X....P.......,..............@..@.gfids.......`.......0..............@..@.rsrc........p.......2..............@..@.reloc..,............4..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\time.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	5.021063469377741
Encrypted:	false
SSDEEP:	384:am0CMudvllWt2O7s9fpuIEs/iAVEE2HTezx3cMe:amB7otSEs/3E/Hqre
MD5:	6C6B3F80BD877D5DC8E8BA5655C39602
SHA1:	7876923AE8A02D8343D12F85F8489A02343260DB
SHA-256:	AE3D2AD95169FC0B9FCBFF4F631752FE7753CD85D0B1B29BCC71090F04D56ED0
SHA-512:	5817DDDC3AE2B2695197722CC9FA4C0E70F1DFD1CA224C6A3B67527ABDAE760AA9891B50FD8E4F3950D16EB8AB1F4B4D374CD9BE020A1A40C17CB3B166160232
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3^.OR0.OR0.OR0.F*..KR0.t.1.MR0..:1.MR0.t.3.MR0.t.5.DR0.t.4.ER0..;1.MR0..'1.LR0.OR1..R0...8.NR0...0.NR0.....NR0...2.NR0.RichOR0.........................PE..d....?.a.........." ................p ....................................................`.........................................@=..X....=...............`.......................7...............................7...............0..P............................text...c........................... ..`.rdata..n....0......."..............@..@.data...X....P.......:..............@....pdata.......`.......@..............@..@.gfids.......p.......D..............@..@.rsrc................F..............@..@.reloc...............H..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\pygame\transform.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	6.234819540381457
Encrypted:	false
SSDEEP:	768:wLoLurPrJgIlzKqZIyqcerwMpdF6YBf1JmXyEq9D2/rfC2:sgIzpZIierwIdF11k1IETC2
MD5:	CE4431CB9C2FE33DB084795432AFF22B
SHA1:	528E900BAE5C96B37D25B87694B0B29F76FE7758
SHA-256:	54E8B3D2BBB7868202571989F982037F02BC48917AE72F6EB86A3B4BB37B831D
SHA-512:	590B8E380F9C05D8E0AD4FC70D3834DD590E6CF1F22C35BB96E8ABF8A175FFA8B8C96F87F7AE7AA90FE8905B57D3194C9EBFF2F994E3347F223E664B68FAD589
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mgCE...E...E...Lt..C...~R..G....d..G...~R..G...~R..N...~R..O....e..G....y..F...E........R..F...E...D....R..D....R..D....R..D...RichE...................PE..d....?.a.........." .........@......p........................................ ............`.........................................@...`.......................D...................`................................................................................text............................... ..`.rdata...'.......(..................@..@.data...............................@....pdata..D...........................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\python3.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58896
Entropy (8bit):	5.843378110040134
Encrypted:	false
SSDEEP:	768:1iUuRp9VpBLm6g5YuLIE4k8kF/DFz1OuIwfBSCciqy0oeDOm+rENdI8V0eWDG4yv:n5gOqdI8V0jyv
MD5:	274853E19235D411A751A750C54B9893
SHA1:	97BD15688B549CD5DBF49597AF508C72679385AF
SHA-256:	D21EB0FD1B2883E9E0B736B43CBBEF9DFA89E31FEE4D32AF9AD52C3F0484987B
SHA-512:	580FA23CBE71AE4970A608C8D1AB88FE3F7562ED18398C73B14D5A3E008EA77DF3E38ABF97C12512786391EE403F675A219FBF5AFE5C8CEA004941B1D1D02A48
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5H..q)d.q)d.q)d..wl.p)d..wd.p)d..w..p)d..wf.p)d.Richq)d.........PE..d...m.:_.........." ................................................................g.....`.........................................` ............................................... ..T............................................................................text............................... ..`.rdata...... ......................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\python37.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3750416
Entropy (8bit):	6.384383088490926
Encrypted:	false
SSDEEP:	49152:KjVpkcACTIK0IKhyn9iafAdH1ZRHLqUCbNSuvYVeP84mzIAA5H0LMznZPMXT7p31:3CTIdKI7UWu4cAgHCMzqNOyVB
MD5:	C4709F84E6CF6E082B80C80B87ABE551
SHA1:	C0C55B229722F7F2010D34E26857DF640182F796
SHA-256:	CA8E39F2B1D277B0A24A43B5B8EADA5BAF2DE97488F7EF2484014DF6E270B3F3
SHA-512:	E04A5832B9F2E1E53BA096E011367D46E6710389967FA7014A0E2D4A6CE6FC8D09D0CE20CEE7E7D67D5057D37854EDDAB48BEF7DF1767F2EC3A4AB91475B7CE4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.y...y...y.......y...'...y......y...'...y...'...y...'...y.......y...y...x..,'..Fy..,'...y..,'...y..,'...y..Rich.y..........................PE..d...c.:_.........." .....8.... .....D.........................................<.......9...`.........................................p....... ?/.\|.....;.......9..w... 9.......;..q......T........................... ................P..0............................text....7.......8.................. ..`.rdata.......P.......<..............@..@.data....z...p/......P/.............@....pdata...w....9..x...(7.............@..@.gfids.......p;.......8.............@..@.rsrc.........;.......8.............@..@.reloc...q....;..r....8.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5core.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6023664
Entropy (8bit):	6.768988071491288
Encrypted:	false
SSDEEP:	98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
MD5:	817520432A42EFA345B2D97F5C24510E
SHA1:	FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
SHA-256:	8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
SHA-512:	8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5dbus.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	436720
Entropy (8bit):	6.392610185061176
Encrypted:	false
SSDEEP:	6144:ZLvnUJ17UTGOkWHUe/W9TgYMDu96ixMZQ8IlXbKgp8aIDeN:KP7cGOGegTwu96ixMZQtlrPN
MD5:	0E8FF02D971B61B5D2DD1AC4DF01AE4A
SHA1:	638F0B46730884FA036900649F69F3021557E2FE
SHA-256:	1AA70B106A10C86946E23CAA9FC752DC16E29FBE803BBA1F1AB30D1C63EE852A
SHA-512:	7BA616EDE66B16D9F8B2A56C3117DB49A74D59D0D32EAA6958DE57EAC78F14B1C7F2DBBA9EAE4D77937399CF14D44535531BAF6F9DB16F357F8712DFAAE4346A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D..............+...../............).....+...O.+....+....O./...O....O..........O.(...Rich..........................PE..d...]._.........." .....\...<.......\..............................................K.....`..........................................h..to...................`...Q..............4.......T.......................(...`...0............p...............................text...yZ.......\.................. ..`.rdata..0....p.......`..............@..@.data...X....@......."..............@....pdata...Q...`...R...2..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5gui.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7008240
Entropy (8bit):	6.674290383197779
Encrypted:	false
SSDEEP:	49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
MD5:	47307A1E2E9987AB422F09771D590FF1
SHA1:	0DFC3A947E56C749A75F921F4A850A3DCBF04248
SHA-256:	5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
SHA-512:	21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,\|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.\|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..\|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5multimedia.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	746480
Entropy (8bit):	6.260644163524817
Encrypted:	false
SSDEEP:	6144:jLIJMPFfMerCs1uXdHbbbboLxywnY9jnvQz5dm9mMhI/p5PQCf3FR19EjqD0jKds:j+MPFfMervUXzYeg/mR4G
MD5:	01DF79071F9DA0B9B7BDA3DB7FDC8809
SHA1:	6944ACC06F8691A27AA0833D29F0389F0E036BF0
SHA-256:	1A59AE2A9FF768AD6BFB888FE3DD2544E238F0B28DA83CF375EBD803CE713DC4
SHA-512:	486D3F93E56AB50E0C9937E3472762946AFDBB28279818D42081F5784F3AF2DF6D55253D4CF4839601058DCEFB5E543144B91B4572BED96CA9926A0A2AFE5711
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q..Q..Q..X.&.Y..E...S.....D.....Y.....U.....U.....V..Q.......$.....P...J.P..Q.".P.....P..RichQ..........PE..d...2.._.........." ...............................................................{.....`.................................................@8.......`..............H.......p.......^..T...................P`..(... _..0...............X............................text...R........................... ..`.rdata..............................@..@.data....3.......(...\|..............@....pdata.............................@..@.rsrc........`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5network.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1340400
Entropy (8bit):	6.41486755163134
Encrypted:	false
SSDEEP:	24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
MD5:	3569693D5BAE82854DE1D88F86C33184
SHA1:	1A6084ACFD2AA4D32CEDFB7D9023F60EB14E1771
SHA-256:	4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
SHA-512:	E5EFF4A79E1BDAE28A6CA0DA116245A9919023560750FC4A087CDCD0AB969C2F0EEEC63BBEC2CD5222D6824A01DD27D2A8E6684A48202EA733F9BB2FAB048B32
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Yt..7'..7'..7'...'..7'..3&..7'}.3&..7'}.4&..7'}.2&..7'}.6&..7'..6&..7'0.6&..7'..6'c.7'0.2&2.7'0.7&..7'0..'..7'...'..7'0.5&..7'Rich..7'........................PE..d....._.........." .................................................................c....`......................................... ....n..,...h....................X..........,.......T...................p...(...@...0............................................text...C........................... ..`.rdata...g.......h..................@..@.data...XN...@...2... ..............@....pdata...............R..............@..@.rsrc................>..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5printsupport.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	317424
Entropy (8bit):	6.4458228745525155
Encrypted:	false
SSDEEP:	6144:809B+97t6UOTX3jrhVzgUA2GqWss4G+1gr7pGZmS0bZqXxtUPNs+5o/83+G2jW7:80v4p6UOjzQR0W7
MD5:	61AC08D0E73555352714FF9044130C52
SHA1:	F5FEE2811236640821A2C18C9E2EAADD509C6E62
SHA-256:	783D4F1FEB8DC0BC00ACB8C094D6C1AB39AC6B5858874E60DD3D45677AF4307A
SHA-512:	6ABDBFE5FFBD5C1C1204EDBFCC47F6B1072AA6A5B229901FE9B22CD2E193E7C963C62B8AC3CABEC6467D2440EADDD47214D8F98A06E885822314B98BBCFC2BDE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z]..;3.;3.;3.C..;3.JT2.;3.JT6.;3.JT7.;3.JT0.;3.P2.;3..K2.;3.;2.?3..K6.;3..K3.;3..K..;3.;..;3..K1.;3.Rich.;3.........................PE..d...4._.........." .................................................................(....`.........................................0=...q.......................&..............L.......T.......................(...`...0...............( ...........................text...O........................... ..`.rdata.............................@..@.data................p..............@....pdata...&.......(..................@..@.rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5qml.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3591664
Entropy (8bit):	6.333693598000157
Encrypted:	false
SSDEEP:	98304:iPnt09+kVh2NrSdSG779LLLS/o/L4YqoY0Xba+mRRH2T:iPnt2ZVhT
MD5:	D055566B5168D7B1D4E307C41CE47C4B
SHA1:	043C0056E9951DA79EC94A66A784972532DC18EF
SHA-256:	30035484C81590976627F8FACE9507CAA8581A7DC7630CCCF6A8D6DE65CAB707
SHA-512:	4F12D17AA8A3008CAA3DDD0E41D3ED713A24F9B5A465EE93B2E4BECCF876D5BDF0259AA0D2DD77AD61BB59DC871F78937FFBE4D0F60638014E8EA8A27CAF228D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.4...Z...Z...Z......Z..^...Z..Y...Z.._...Z..[...Z...[...Z...[...Z...[...Z..._...Z...Z...Z.......Z......Z...X...Z.Rich..Z.........PE..d......_.........." .....^$..........O$.......................................7.....}.7...`...........................................,......2.......6.......4. .....6.......6..J....).T.....................).(...p.).0............p$..%...........................text....\$......^$................. ..`.rdata......p$......b$.............@..@.data.........3..n....2.............@....pdata.. .....4......l4.............@..@.rsrc.........6......`6.............@..@.reloc...J....6..L...f6.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5qmlmodels.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	438768
Entropy (8bit):	6.312090336793804
Encrypted:	false
SSDEEP:	6144:k1tE6lq982HdyuEZ5gw+VHDZjZ0yOWm7Vdcm4GyasLCZCu6vdQp:k1tEuq9Hdyuo5gwguyOtVIup
MD5:	2030C4177B499E6118BE5B9E5761FCE1
SHA1:	050D0E67C4AA890C80F46CF615431004F2F4F8FC
SHA-256:	51E4E5A5E91F78774C44F69B599FAE4735277EF2918F7061778615CB5C4F6E81
SHA-512:	488F7D5D9D8DEEE9BBB9D63DAE346E46EFEB62456279F388B323777999B597C2D5AEA0EE379BDF94C9CBCFD3367D344FB6B5E90AC40BE2CE95EFA5BBDD363BCC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..<...<...<...5.H.4...(...>.......*.......4.......8.......8......9...<...g....../......=....$.=...<.L.=......=...Rich<...................PE..d...M.._.........." .....(...r......d+..............................................MF....`.........................................0E...^..0................`.. F..................H...T.......................(.......0............@...............................text...N&.......(.................. ..`.rdata.......@.......,..............@..@.data...x/...0...(..................@....pdata.. F...`...H...>..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5quick.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4148720
Entropy (8bit):	6.462183686222023
Encrypted:	false
SSDEEP:	49152:EcDwCQsvkBD+ClI3IAVLA7Tr15SokomoqxQhT2bAssCFEUGX5ig:E7CKPsA3p0Z/QV/sS3Ag
MD5:	65F59CFC0C1C060CE20D3B9CEFFBAF46
SHA1:	CFD56D77506CD8C0671CA559D659DAB39E4AD3C2
SHA-256:	C81AD3C1111544064B1830C6F1AEF3C1FD13B401546AB3B852D697C0F4D854B3
SHA-512:	D6F6DC19F1A0495026CBA765B5A2414B6AF0DBFC37B5ACEED1CD0AE37B3B0F574B759A176D75B01EDD74C6CE9A3642D3D29A3FD7F166B53A41C8978F562B4B50
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!Fvge'.4e'.4e'.4l_.4i'.4.H.5m'.4.H.5a'.4.H.5\|'.4.H.5c'.4.W.5o'.4qL.5`'.4e'.4.,.4.W.5.'.4.W.5d'.4.W.4d'.4e'.4d'.4.W.5d'.4Riche'.4........................PE..d......_.........." ......%..B......L.$.......................................?.......?...`.........................................0)2.P.....8.T.....>.......<..^...2?.......?.py......T.......................(.......0............ %..\...........................text.....%.......%................. ..`.rdata....... %.......%.............@..@.data....I...@;..2... ;.............@....pdata...^....<..`...R<.............@..@.rsrc.........>.......>.............@..@.reloc..py....?..z....>.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5svg.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	330736
Entropy (8bit):	6.381828869454302
Encrypted:	false
SSDEEP:	6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
MD5:	03761F923E52A7269A6E3A7452F6BE93
SHA1:	2CE53C424336BCC8047E10FA79CE9BCE14059C50
SHA-256:	7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
SHA-512:	DE0FF8EBFFC62AF279E239722E6EEDD0B46BC213E21D0A687572BFB92AE1A1E4219322233224CA8B7211FFEF52D26CB9FE171D175D2390E3B3E6710BBDA010CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............_._._..*_._,.^._..^._,.^._,.^._,.^._a.^._._=.._a.^._a.^._a.F_._.._._a.^._Rich._................PE..d......_.........." .........................................................@.......^....`.................................................((....... ...........0...........0..H...xL..T....................N..(....L..0............................................text............................... ..`.rdata..p...........................@..@.data...8...........................@....pdata...0.......2..................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5websockets.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	149488
Entropy (8bit):	6.116105454277536
Encrypted:	false
SSDEEP:	3072:4sSkET6pEXb3loojg1Q2sorWvZXF2sorrLA7cG27Qhvvc:4sSd6pwzloDbsnX0sCrc7ct7QVc
MD5:	A016545F963548E0F37885E07EF945C7
SHA1:	CBE499E53AB0BD2DA21018F4E2092E33560C846F
SHA-256:	6B56F77DA6F17880A42D2F9D2EC8B426248F7AB2196A0F55D37ADE39E3878BC6
SHA-512:	47A3C965593B97392F8995C7B80394E5368D735D4C77F610AFD61367FFE7658A0E83A0DBD19962C4FA864D94F245A9185A915010AFA23467F999C833982654C2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'`.CF.KCF.KCF.KJ>.KGF.K.).JAF.KW-.JAF.K.).JVF.K.).JKF.K.).J@F.K.6.JFF.KCF.K.G.K.6.JPF.K.6.JBF.K.6.KBF.KCF.KBF.K.6.JBF.KRichCF.K........................PE..d......_.........." .....$..........t(.......................................p.......5....`............................................."..l........P.......0.......,.......`..L...hw..T....................x..(....w..0............@...............................text....".......$.................. ..`.rdata..z....@.......(..............@..@.data...x...........................@....pdata.......0......................@..@.rsrc........P......."..............@..@.reloc..L....`.......(..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\qt5widgets.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5498352
Entropy (8bit):	6.619117060971844
Encrypted:	false
SSDEEP:	49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
MD5:	4CD1F8FDCD617932DB131C3688845EA8
SHA1:	B090ED884B07D2D98747141AEFD25590B8B254F9
SHA-256:	3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
SHA-512:	7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\sdl2.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2227712
Entropy (8bit):	6.1101676126491045
Encrypted:	false
SSDEEP:	49152:otGVV4xwK5c4rvVO2ard4oZut2BRcfcK:f4GrBGc
MD5:	2F4A57E7A4FF7F6EE01BB07D77D89EBC
SHA1:	A03DE0DFD9C94170559097C5D15EF10E1E1AD8C7
SHA-256:	F34CD90B131CEB45B7F32D41680A13FD4B13E5F48F0D1649CBF441833105310C
SHA-512:	4633E946F6CBEA72B3DD4280BE44279565ED50C36DDD5CEF1498975A3FBDA51FD4EE5A6F54C2D249520AF3B8F4161DAA890C90DC831678B2B6C4BB1A969E91FE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...%......!..0..u.........Gk..............................".....1\"...`... .......................................!..\...."..-...`"....... ..............p".4...............................(...................\|.".x............................text...X...........................`..`.data....Y.......Z..................@....rdata..@....0......................@..@.pdata........ .....................@..@.xdata..L..... ....... .............@..@.bss....P/....!..........................edata...\....!..^...N!.............@..@.idata...-....".......!.............@....CRT....X....@".......!.............@....tls.........P".......!.............@....rsrc........`".......!.............@....reloc..4....p".......!.............@..B................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\sdl2_image.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	125440
Entropy (8bit):	6.248060009482749
Encrypted:	false
SSDEEP:	3072:6bsejIuO504fzsOM05Nmy7iGpJ7SvFisgf:6bmX0qQOhmyPs
MD5:	B8D249A5E394B4E6A954C557AF1B80E6
SHA1:	B03BB9D09447114A018110BFB91D56EF8D5EC3BB
SHA-256:	1E364AF75FEE0C83506FBDFD4D5B0E386C4E9C6A33DDBDDAC61DDB131E360194
SHA-512:	2F2E248C3963711F1A9F5D8BAEA5B8527D1DF1748CD7E33BF898A380AE748F7A65629438711FF9A5343E64762EC0B5DC478CDF19FBF7111DAC9D11A8427E0007
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...........................j.............................p.......V........ .........................................P.... ..L....P..8.......x............`.............................. @..(...................h#...............................text...............................`.P`.data...............................@.`..rdata...&.......(..................@.`@.pdata..x...........................@.0@.xdata..............................@.0@.bss..................................`..edata..P...........................@.0@.idata..L.... ......................@.0..CRT....X....0......................@.@..tls....h....@......................@.`..rsrc...8....P......................@.0..reloc.......`......................@.0B................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\sdl2_mixer.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	123904
Entropy (8bit):	6.31428829821482
Encrypted:	false
SSDEEP:	3072:GeCtxSl2NCjItkjr2tXYsxSfbWO1i9ssFo2Bm:GeCtslnsw2YsxSZ1KssFo2B
MD5:	8668D84320ACEE48BC64D080DD66A403
SHA1:	1D61D908BFA16CE80E8947100C5F3F936B579C44
SHA-256:	900EEB69B67266946F541BC6DA5460E6CB9ED4F92816A1710A84625AD123808C
SHA-512:	53A57A3619425ABEF718ABF9836E9980C42F4130AFA1D7875C4AD5BD5333A4D02D8DB8F274619E6932C2A4A8F46A8AB1C56AFF8F7AF4B2536873ECEBE13C6D93
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....V.....................g.............................................. .............................................. .......`..8....... ............p..4........................... P..(....................#...............................text....T.......V..................`.P`.data........p.......Z..............@.`..rdata...=.......>...`..............@.`@.pdata.. ...........................@.0@.xdata..L...........................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....X....@......................@.@..tls....h....P......................@.`..rsrc...8....`......................@.0..reloc..4....p......................@.0B................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\sdl2_ttf.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.651428871159069
Encrypted:	false
SSDEEP:	768:ch6nyBqTviPRGTSJuhrLSA9JT1vZgZDAMABz1w:U6yBqeITSm9HW7F
MD5:	14E57C1868EFC1FB2E4787754E233364
SHA1:	09158212CAF3F7F18E3C5AE65EEE4F7A7796CB62
SHA-256:	507DC8A977D543B3E06BD3FCE41F5759D64B2B21AE829CD2EF41B77BF66968C4
SHA-512:	83C0C9E444888D837B95B687E127C0C82FB177A712442DC4303E9D03B837941787449804EFB8A75A3489CCBDB9165BFEC7F99773CAB819B6B14CAC19EB37752C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....P.....................q............................................. .........................................................(.......................h........................... ...(.......................p............................text....O.......P..................`.P`.data...P....`.......T..............@.P..rdata.. ....p.......V..............@.P@.pdata...............^..............@.0@.xdata...............d..............@.0@.bss....0.............................`..edata...............h..............@.0@.idata...............n..............@.0..CRT....X............z..............@.@..tls....h............\|..............@.`..rsrc...(............~..............@.0..reloc..h...........................@.0B................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\select.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27152
Entropy (8bit):	6.048170705523046
Encrypted:	false
SSDEEP:	384:FekE2XR1G6sOhmQI2HTRcqJcE99qT3dI8qGvnYPLxDG4y8Z6K9:F9csXHN/d9qT3dI8qGvWDG4yM
MD5:	FB4A0D7ABAEAA76676846AD0F08FEFA5
SHA1:	755FD998215511506EDD2C5C52807B46CA9393B2
SHA-256:	65A3C8806D456E9DF2211051ED808A087A96C94D38E23D43121AC120B4D36429
SHA-512:	F5B3557F823EE4C662F2C9B7ECC5497934712E046AA8AE8E625F41756BEB5E524227355316F9145BFABB89B0F6F93A1F37FA94751A66C344C38CE449E879D35F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i...`.e.k...R...k...R...j...R...c...R...c......k...2...l...i...R......h......h......h......h...Richi...........................PE..d...v.:_.........." .........4.......................................................C....`.........................................0:..L...\|:..x............`.......P..........,....3..T...........................`3...............0...............................text............................... ..`.rdata.......0......."..............@..@.data........P.......6..............@....pdata.......`.......<..............@..@.gfids.......p.......@..............@..@.rsrc................B..............@..@.reloc..,............N..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\ssleay32.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	361984
Entropy (8bit):	6.122702766666827
Encrypted:	false
SSDEEP:	6144:40HTL9wWNf4yMpLc5AdAZSNSxKqpZfyxDEagXPwkqHSu7miSOKIDermsP8CyjzLI:40HTL9wWNf/Mpg5AdAZSNUh/fyxDEagt
MD5:	9DAAB52CECB3107A84062E3FA94945A3
SHA1:	FB8C63FC1E9203915BE82442269A2A63F3D38916
SHA-256:	A62510849ADECDA090F53A132BE49DAA3ACD92B4EACB02D0464F62C06D655AF6
SHA-512:	75F096A146C3E75B2886149E8684E374560DB884256276D2D11B9DB09C78C99EAAC7227A888E7B282A03C2002765F0EF97DA19CD2789C6B6D566E79580E59A24
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..h...;...;...;..U;...;K..:...;v..:...;K..:...;K..:...;K..:...;...:...;...;...;...:+..;...:...;..9;...;...:...;Rich...;........................PE..d...N..].........." .....................................................................`.........................................P'...)...P..........H....p..@&.................. ...T...............................................@............................text............................... ..`.rdata..............................@..@.data........p.......X..............@....pdata..@&...p...(...J..............@..@.rsrc...H............r..............@..@.reloc...............x..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22602752
Entropy (8bit):	6.416901024594742
Encrypted:	false
SSDEEP:	98304:7lGnit2d4bS4AxCOjmu/uDv08cl9rvTQEO/yocBeaQGbYw5atLgatF4+95Bgw6cq:uEu4AhruL0t/2/34eU5ujtF4+udl
MD5:	D735279B3606F59AAD13FAB2AA9E9CD5
SHA1:	1DDA8FA756C9A706CC2CD7B72593302346094529
SHA-256:	E19E7629BACED5112011C8700999901DB780083DA2BCD4D35C946BF43CC19474
SHA-512:	A8C91E67651B82B3148280D60CF47CF823323A15EF4D5376EFE0ABD18F650ECEF1E599A1214452A55ED9529EE3666128C57606D13FA9E28E7C1411E741EB162F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.s.3...7...3.....3..6...3..7...3..0...3.K.2...3...2...3...2.q.3..p:...3..p1...3.Rich..3.........PE..d.....mf.........."....%......................@.............................._...........`.................................................\|K..<.......$...p..P............`_.p....k...............................i..@............ ...............................text............................... ..`.rdata..4U... ...V..................@..@.data...(............h..............@....pdata..P....p......................@..@_RDATA..\....p......................@..@.rsrc...$.........................@..@.reloc..p....`_.......X.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\tcl86t.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1705120
Entropy (8bit):	6.496511987047776
Encrypted:	false
SSDEEP:	24576:umJTd0nVi/Md3bupZkKBhWPRIlq5YZ6a2CXH7oZgKGc+erWJUVWyubuapwQDlaTR:umJTd4iMwXH7oZgKb++BVL4B+GITgr0h
MD5:	C0B23815701DBAE2A359CB8ADB9AE730
SHA1:	5BE6736B645ED12E97B9462B77E5A43482673D90
SHA-256:	F650D6BC321BCDA3FC3AC3DEC3AC4E473FB0B7B68B6C948581BCFC54653E6768
SHA-512:	ED60384E95BE8EA5930994DB8527168F78573F8A277F8D21C089F0018CD3B9906DA764ED6FCC1BD4EFAD009557645E206FBB4E5BAEF9AB4B2E3C8BB5C3B5D725
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k)...GD..GD..GD.bFE..GD9..D..GD.bDE..GD.bBE..GD.bCE..GD.r.D..GD.jAE..GD.jFE..GD..FD..GD.bOE..GD.bGE..GD.b.D..GD.bEE..GDRich..GD........PE..d......\.........." .....d..........0h.......................................@.......b....`..........................................p..._......T.......0.... ............... .......<...............................=...............................................text....b.......d.................. ..`.rdata...k.......l...h..............@..@.data...."..........................@....pdata....... ......................@..@.rsrc...0...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\tk86t.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1468064
Entropy (8bit):	6.165850680457804
Encrypted:	false
SSDEEP:	24576:J7+Vm6O8hbcrckTNrkhaJVQhWnmb7u/DSe9qT03ZjLmFMoERDY5TUT/tXzddGyIK:JCQ69cYY9JVQWx/DSe9qTqJLUMPsJUT/
MD5:	FDC8A5D96F9576BD70AA1CADC2F21748
SHA1:	BAE145525A18CE7E5BC69C5F43C6044DE7B6E004
SHA-256:	1A6D0871BE2FA7153DE22BE008A20A5257B721657E6D4B24DA8B1F940345D0D5
SHA-512:	816ADA61C1FD941D10E6BB4350BAA77F520E2476058249B269802BE826BAB294A9C18EDC5D590F5ED6F8DAFED502AB7FFB29DB2F44292CB5BEDF2F5FA609F49C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................B................R..................Rich..................PE..d......\.........." .........J......@........................................p.......f....`.............................................@@..P>..\|........{......,....L.......0...?..`................................................ ..P............................text...c........................... ..`.rdata...?... ...@..................@..@.data........`.......N..............@....pdata..,...........................@..@.rsrc....{.......\|..................@..@.reloc...?...0...@..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\unicodedata.pyd

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1073680
Entropy (8bit):	5.327852618149687
Encrypted:	false
SSDEEP:	12288:ge+YbeoEYa6l0SYxytHcQJJwEI+V/IFx7agsSJNzkRoEVnOPmrZ6bK:ge+BN6axoc1r+VUx7agnNctOo6K
MD5:	4D3D8E16E98558FF9DAC8FC7061E2759
SHA1:	C918AB67B580F955B6361F9900930DA38CEC7C91
SHA-256:	016D962782BEAE0EA8417A17E67956B27610F4565CFF71DD35A6E52AB187C095
SHA-512:	0DFABFAD969DA806BC9C6C664CDF31647D89951832FF7E4E5EEED81F1DE9263ED71BDDEFF76EBB8E47D6248AD4F832CB8AD456F11E401C3481674BD60283991A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........VQx..Qx..Qx..X.O.Wx..j&..Sx..j&..Sx..j&..Zx..j&..[x...&..Rx......Sx..Qx...x...&..Px...&..Px...&#.Px...&..Px..RichQx..........................PE..d...w.:_.........." .....@..........h5....................................................`..........................................b..X...Hc.......p.......P..X....H..............`u..T............................u...............P..8............................text...Q?.......@.................. ..`.rdata.......P.......D..............@..@.data........p.......`..............@....pdata..X....P......................@..@.gfids.......`.......8..............@..@.rsrc........p.......:..............@..@.reloc...............F..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\vcruntime140.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87864
Entropy (8bit):	6.50974924823557
Encrypted:	false
SSDEEP:	1536:JiOTTyNdd/mqN5fomseOpLJ5UP4nVnWecbtGgcNZVKL:JD4Vzgh5UXecbt2ju
MD5:	89A24C66E7A522F1E0016B1D0B4316DC
SHA1:	5340DD64CFE26E3D5F68F7ED344C4FD96FBD0D42
SHA-256:	3096CAFB6A21B6D28CF4FE2DD85814F599412C0FE1EF090DD08D1C03AFFE9AB6
SHA-512:	E88E0459744A950829CD508A93E2EF0061293AB32FACD9D8951686CBE271B34460EFD159FD8EC4AA96FF8A629741006458B166E5CFF21F35D049AD059BC56A1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......).uym~.m~.m~....o~.d..f~.m~.F~.V .+n~.V .+g~.V .+f~.V .+s~.V .+l~.V .l~.V .+l~.Richm~.........PE..d....Z.........." .........T......@........................................p......m.....`A........................................0...4...d........P.......0..........8?...`..p...p...8............................................................................text...'........................... ..`.rdata..f5.......6..................@..@.data........ ......................@....pdata.......0......................@..@_RDATA.......@......................@..@.rsrc........P......................@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\vcruntime140_1.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44528
Entropy (8bit):	6.627837381503075
Encrypted:	false
SSDEEP:	384:Aim/NRETi8kykt25HwviU5fJUiP2551xWmbTqOA7SXf+Ny85xM8ATJWr3KWoC8cS:0Ie8kySL2iPQxdvjAevcMESW5lxJG
MD5:	6BC084255A5E9EB8DF2BCD75B4CD0777
SHA1:	CF071AD4E512CD934028F005CABE06384A3954B6
SHA-256:	1F0F5F2CE671E0F68CF96176721DF0E5E6F527C8CA9CFA98AA875B5A3816D460
SHA-512:	B822538494D13BDA947655AF791FED4DAA811F20C4B63A45246C8F3BEFA3EC37FF1AA79246C89174FE35D76FFB636FA228AFA4BDA0BD6D2C41D01228B151FD89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .S.A...A...A..0.m..A..O....A...9...A...A...A..O....A..O....A..O....A..O....A..O.}..A..O....A..Rich.A..................PE..d.....t^.........." .....:...4......pA...............................................Z....`A.........................................j......\|k..x....................l...A......8....b..8...........................@b..0............P..X............................text....9.......:.................. ..`.rdata... ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..8............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\zlib1.dll

Process:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	108544
Entropy (8bit):	6.422076432206121
Encrypted:	false
SSDEEP:	3072:wLmjK8n5MYk+NqZSB23eRenGvTBfs9Yy0J:wLl8n5MYCjFnaTBwYy0
MD5:	5EAC41B641E813F2A887C25E7C87A02E
SHA1:	EC3F6CF88711EF8CFB3CC439CB75471A2BB9E1B5
SHA-256:	B1F58A17F3BFD55523E7BEF685ACF5B32D1C2A6F25ABDCD442681266FD26AB08
SHA-512:	CAD34A495F1D67C4D79ED88C5C52CF9F2D724A1748EE92518B8ECE4E8F2FE1D443DFE93FB9DBA8959C0E44C7973AF41EB1471507AB8A5B1200A25D75287D5DE5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....&.....................b.............................@................ .........................................\|.......x.... .......................0.............................. ...(....................................................text....%.......&..................`.P`.data...P....@.......*..............@.P..rdata...Q...P...R...,..............@.`@.pdata...............~..............@.0@.xdata..l...........................@.0@.bss..................................`..edata..\|...........................@.0@.idata..x...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..rsrc........ ......................@.0..reloc.......0......................@.0B................................................................................................................................

C:\Users\user\AppData\Local\Temp\rkn.exe

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47104
Entropy (8bit):	6.948416585892318
Encrypted:	false
SSDEEP:	768:iq6bYI7ev0DeJpFgjzjW8SGJVnxsJ/cS7iKGztVuanh8w2OfJ7ejaP6yEqzeGO0I:iXbWv04jgXjW8PHccS7i9u6yeNejY6ys
MD5:	4B683807246FC18189D63DD9A4E9429F
SHA1:	1DED192558723EBE1DE20B099343DA06D6A215C5
SHA-256:	BA77B5949CA2198459C7F2F260C1B57AF93F4B3466F8278BFCAB114C9E0B2D79
SHA-512:	7B177DE3ADB54FE049E5A4D927957008F4829A46FC6C8206657F5BC6435F079A6E47FD3FFCCFD03D6F40F125855659B3380E9C33C1EDA0E7E5D14180CA761377
Malicious:	true
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\rkn.exe, Author: unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..S,.x.,.x.,.x.%...&.x.~.}.?.x.~.\|. .x.~.{.-.x.~.y.(.x.g.y.).x.,.y...x...q.-.x.....-.x...z.-.x.Rich,.x.................PE..L...m]nf..................................... ....@.......................................@..................................%..................................p...,!..p............................!..@............ ...............................text...)........................... ..`.rdata..t.... ......................@..@.data.......0....... ..............@....rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\unity.pdf

Process:	C:\Users\user\AppData\Local\Temp\rkn.exe
File Type:	PDF document, version 1.7, 4 pages
Category:	dropped
Size (bytes):	86196
Entropy (8bit):	7.87858938350625
Encrypted:	false
SSDEEP:	1536:hBhksShBntb0liRZmRKIQh13cqT+Mve6US2c6fGJ76c3oW9CMJ6yd:lk1N9bRZmRDQuUPe6US2c6No9CM3
MD5:	CC4676EF08E8AECBE22B9232F27B2141
SHA1:	03BB3A2CB2C8A5CF7B93CF7C666C470144CFD724
SHA-256:	48331EA4E205E07525F47149D19C8F78DBA24EE63147A74F7D0A443008E4587D
SHA-512:	A27DAEF2DB426114F9B45F9EAD7C0CF5E6C84389570E51C749C9CE9BAD8AB6D2C866C54A291FA5A6D83AB7B476A00E9AD4729C92ED53B5371AF7E2382CCBEC96
Malicious:	false
Preview:	%PDF-1.7.%.....2 0 obj.<</Length 3 0 R/Filter/FlateDecode>>.stream.x..XK..G...(.-..R.....n.....B...6.8f..I.}$..3.x.Nou=.O.>.Fv .><<..~...W1.;........m....@.......?.?...zx.}.....$.0.....^>.......cb.t...a...8.... ...H+.}/.....2J'..s....<..p...FN ....c..4....O..\|x..:?.........o1....b........b..h........G5>..I.....M.9..H.....34.<..#..qV.=.V.\|..y.....q&8\|.<.ox..q<..Az.7.....g}...F...a.H.....b:..C..t.......;.Y....D..o...........F..q.'..#.h....A...$rH2..(.V......1.ML4....0......-.>+.S`....e.zC~.ls.1..>A..F@...3..,D.+...b.xo...Ekh.e.oca.XxL..~.8.=.[...(3fQ........^[..M.\.T%;}!..$.,..{.......@.<E2G...g{.y.g..J^y[DEq./\|..)....ce..... .............q.m...L..{..X.A3VA^.....`m...=..I"#s..e.%5. .8k..XOJh...]"Tr.d.-s.s..3.6>.....s.B..a.8-.6....~....21.j...."A.....Vz;.j....a.&..L.......x...dd..T......9..e.\.....oZ..DaS./..lN2jE......p......2....s.`3........A_k.U.fN.....Y9..~...b.4...:..N..K..R.t.2.S ..Q..M....E.J!.YN.[.o.tN.f=....r...w..ud...Iq..j;

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	85893
Entropy (8bit):	6.4285188239971465
Encrypted:	false
SSDEEP:	1536:Lh3s60i02RwxwFnZNt0zfIagnbSLDII+DY:LVs/i0C4IZN+gbE8pDY
MD5:	B7A9A5A223B9DCE0E7D10E2B32A0BA07
SHA1:	FFB925FA80873CF50D8CB6DA530BA8CD7F0D9922
SHA-256:	4EF52E63D45F5230C47DBD3764AA90768F708B24885579375724473BB3FFB255
SHA-512:	A46488535961F26B7E41E1BA98E2015627917366BE08B172B0A5377E5A4EC1C0BD14F1A4E2473B5831A7538B3554E818FE3349DA42C0F40E03B3474EC77532F4
Malicious:	false
Preview:	0..O.0..Mg...0....H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240403114831Z..240410114831Z0..L.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!......S....fNj'.wy..210602000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...\|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	737
Entropy (8bit):	7.5099882082938105
Encrypted:	false
SSDEEP:	12:yeRLaWQMnFQlRmyOFfBS9i7u8meIHKbw2O9TrU/Y/QmpFlT1xaOu8OAbsHqvNDVk:y2GWnSmyOtci7umNbQ9TrUw/QmxT1xsD
MD5:	152F65AAA856C44E87C8ED561AE43C0F
SHA1:	B6440383DBC4D3446E91CBB58EEB8C8BD6671F50
SHA-256:	48AC59FC9FA38016B6D5A4CB5D89A2C0CABCD8A0404AF29FBE995B4AA647A292
SHA-512:	106287A2EA36511D229E6991638D99B796B24B05D4BC8AE75BE5E9B79EA7A324330A26B3B4028FC4A8523FB82D7E3F9A793AE0E9C1F377939956C5667E44381E
Malicious:	false
Preview:	0...0.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240401194722Z..240422194722Z.00.0...U.#..0.......q]dL..g?....O0...U........0....H............._..T...?..G).L/..K..5...3.j(..G.D0...>...bH.p.O{..Y....^.]I.G......~r.Ye...Sy.....X...1........8'../...O...P;QO.-O.BUq......1s..(,....v....L.q..H.6j %..R.p..H..).;vt.....6...r]/.....4.%....G....J..3Y.....d....N....tu...q....2.wm..$...d...w...G?..h.?.+E...$d.........80X45[...A.7,.....s`...sS.g.]...].i...y].bu.U.......AP....T.d!...eB.`...u.....Z....&.....*$mY..q7.;.5..s..x.$.._..5.W..F?p@.+Ud-...&'...po$..4R7L.`.g.......J...........h...M(./>)..;.g....B..F.?>...Q{%.i.....!lm\|\|..cxb..

\Device\Null

Process:	C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.156721778700509
Encrypted:	false
SSDEEP:	6:fFN3vPINwkn23fARBA6RNwkn23fARBAmGwq5MtfrDRd+rg:f7f4sf4Iwq5obn
MD5:	DE027C8AC18269DAF2B284463324BE83
SHA1:	FAF53E7F87F094B2962E7482FEE7DF7DA2A1BC8A
SHA-256:	73C0B7807F591B87D3337E5E10543E58189B100586E73B717D724844FCC092A0
SHA-512:	1BE57A4B0213191B3C6C0040D30B21FA41902ECC74DED81CB57BCDED56A1B20B0C4F1BF5EDD4E918345879C325C36A4118F41AE7C8983E880C020A3A1A1D05E1
Malicious:	false
Preview:	Traceback (most recent call last):.. File "C:\Users\user\AppData\Local\Temp\ONEFIL~1\staged_out.py", line 42, in <module>.. File "C:\Users\user\AppData\Local\Temp\ONEFIL~1\staged_out.py", line 9, in extract_bytes2..FileNotFoundError: [Errno 2] No such file or directory: 'image1.jpg'..

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.158356107957075
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FFbd.dll
File size:	10'240 bytes
MD5:	ff70a29ec9361ec5c5107788dfa3fcb3
SHA1:	3a8206eba21c66c2955f970dbb8ceac36dbab917
SHA256:	87904f0d8a76ca68a802faa3987df9490b8bd213937c9028afe6089f036a864c
SHA512:	3b8b43f54332027a7dd56283a13dd998793a9ca2b32df6d128708e813b01d02ceccf77c4ad23449ad62b0bd5d5aa4fe7123afee6c1aba74d5b86a78833e6a1ee
SSDEEP:	192:OECWJBPHhqt33bXvFQWyjOvp/C2j3WzMVft4L:O0hwt3btsj4p/rj3WCfu
TLSH:	0B222A82FE0446B6EA6901323477863A876CFA345FE55D43FB13E60908262D1BD35DAE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.[7.g5d.g5d.g5d...d.g5dG.4e.g5dG.0e.g5dG.1e.g5dG.6e.g5d^.4e.g5d.g4d:g5d..<e.g5d..5e.g5d...d.g5d..7e.g5dRich.g5d...............

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10001682
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x666E5DAB [Sun Jun 16 03:36:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	472c0afeb8cf617f8176b68d6ff4e0bd

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F88DCC81EF7h
call 00007F88DCC82079h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F88DCC81DA3h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push 00000000h
call dword ptr [1000304Ch]
push dword ptr [ebp+08h]
call dword ptr [10003050h]
push C0000409h
call dword ptr [10003048h]
push eax
call dword ptr [10003044h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [10003040h]
test eax, eax
je 00007F88DCC81EF7h
push 00000002h
pop ecx
int 29h
mov dword ptr [10004128h], eax
mov dword ptr [10004124h], ecx
mov dword ptr [10004120h], edx
mov dword ptr [1000411Ch], ebx
mov dword ptr [10004118h], esi
mov dword ptr [10004114h], edi
mov word ptr [10004140h], ss
mov word ptr [10004134h], cs
mov word ptr [10004110h], ds
mov word ptr [1000410Ch], es
mov word ptr [10004108h], fs
mov word ptr [10004104h], gs
pushfd
pop dword ptr [10004138h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [1000412Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00004130h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3660	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36a8	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0x180	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3198	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3208	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0xb0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x106b	0x1200	fe6ea84ae81bf518f0ac1b1a95efdfb6	False	0.5831163194444444	COM executable for DOS	5.877702727235797	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0xb78	0xc00	556001c6423ab2aa70cc37d52c3915c0	False	0.4303385416666667	data	4.355577703366855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x39c	0x200	3daece0110e8b3671b990d52a1a0ab2d	False	0.0546875	data	0.26546687076190567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5000	0xf8	0x200	363d86a144062b41d123c32b4b5cf515	False	0.3359375	data	2.5119620156497993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0x180	0x200	254f0214a77c46cdf221e12d089146d7	False	0.7734375	data	5.352463600576371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x5060	0x91	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.8689655172413793

Imports

DLL	Import
KERNEL32.dll	GetTempPathW, CreateFileW, WriteFile, CloseHandle, CopyFileW, ExpandEnvironmentStringsW, CreateProcessW, WaitForSingleObject, Sleep, IsDebuggerPresent, InitializeSListHead, DisableThreadLibraryCalls, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter
WININET.dll	InternetCloseHandle, InternetReadFile, InternetOpenW, InternetOpenUrlW
SHLWAPI.dll	PathCombineW
VCRUNTIME140.dll	memset, __std_type_info_destroy_list, _except_handler4_common
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vswprintf_s
api-ms-win-crt-runtime-l1-1-0.dll	_initialize_narrow_environment, _seh_filter_dll, _initterm, _cexit, _initialize_onexit_table, _initterm_e, _configure_narrow_argv, _execute_onexit_table

Exports

Name	Ordinal	Address
apt66	1	0x10001040

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	00:58:54
Start date:	05/07/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\FFbd.dll"
Imagebase:	0x8d0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	1
Start time:	00:58:54
Start date:	05/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	00:58:54
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\FFbd.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	00:58:54
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\FFbd.dll,apt66
Imagebase:	0x2b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	00:58:54
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\FFbd.dll",#1
Imagebase:	0x2b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	00:58:57
Start date:	05/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\FFbd.dll",apt66
Imagebase:	0x2b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	00:58:58
Start date:	05/07/2024
Path:	C:\Users\user\AppData\Local\Temp\rkn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\rkn.exe"
Imagebase:	0x580000
File size:	47'104 bytes
MD5 hash:	4B683807246FC18189D63DD9A4E9429F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000006.00000000.1716817368.0000000000583000.00000008.00000001.01000000.00000005.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000006.00000002.2394995201.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000006.00000002.2394739280.0000000000584000.00000008.00000001.01000000.00000005.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\rkn.exe, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	00:58:58
Start date:	05/07/2024
Path:	C:\Users\user\AppData\Local\Temp\rkn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\rkn.exe"
Imagebase:	0x580000
File size:	47'104 bytes
MD5 hash:	4B683807246FC18189D63DD9A4E9429F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000007.00000002.1859570340.00000000005D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000007.00000002.1859480878.0000000000584000.00000008.00000001.01000000.00000005.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000007.00000000.1720009194.0000000000583000.00000008.00000001.01000000.00000005.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	00:59:00
Start date:	05/07/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\unity.pdf"
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	9
Start time:	00:59:01
Start date:	05/07/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	10
Start time:	00:59:01
Start date:	05/07/2024
Path:	C:\Users\user\AppData\Local\Temp\rkn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\rkn.exe"
Imagebase:	0x580000
File size:	47'104 bytes
MD5 hash:	4B683807246FC18189D63DD9A4E9429F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000A.00000002.1906067523.0000000001510000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000A.00000002.1905614691.0000000000584000.00000008.00000001.01000000.00000005.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000A.00000000.1748245426.0000000000583000.00000008.00000001.01000000.00000005.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	00:59:02
Start date:	05/07/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1668,i,5790033669171981686,32294422139624892,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	13
Start time:	00:59:05
Start date:	05/07/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\unity.pdf"
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	19
Start time:	00:59:41
Start date:	05/07/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\unity.pdf"
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	20
Start time:	00:59:42
Start date:	05/07/2024
Path:	C:\Users\user\AppData\Local\Temp\apt66ext.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\apt66ext.exe"
Imagebase:	0x7ff638500000
File size:	55'675'088 bytes
MD5 hash:	494A19DC7E5EAA0E516ECE245D2661DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 18%, ReversingLabs
Has exited:	true

Target ID:	22
Start time:	00:59:50
Start date:	05/07/2024
Path:	C:\Users\user\AppData\Local\Temp\onefile_8740_133646291825138024\staged_out.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\apt66ext.exe"
Imagebase:	0x7ff6dad70000
File size:	22'602'752 bytes
MD5 hash:	D735279B3606F59AAD13FAB2AA9E9CD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true