Windows Analysis Report
eETnl6XIwn

Overview

General Information

Sample name:	eETnl6XIwn renamed because original name is a hash value
Original sample name:	2024-10-15_f3597861327b985e3fd109c1bf44eda1_cobalt-strike_megazord_zxxz
Analysis ID:	1541341
MD5:	f3597861327b985e3fd109c1bf44eda1
SHA1:	587838a9242d3b8b063e07427fa95f900aa0842b
SHA256:	e8a8473c1e01688d370bbb1968b6361264c56a65ddbb31f8278ac618618f4efa
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	62
Range:	0 - 100

Signatures

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Powershell Defender Exclusion

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.4% probability

Compliance

Source: eETnl6XIwn

Static PE information: certificate valid

Source: eETnl6XIwn

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\node.exe\temp\node-v22.6.0\out\Release\node.pdb6 source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF728421000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\projects\ref-napi\build\Release\binding.pdb source: eETnl6XIwn.exe, 00000000.00000003.1321000032.000001C1C56BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\node.exe\temp\node-v22.6.0\out\Release\node.pdb source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF728421000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\rdcadm\jenkins\workspace\WindowsBuild\2.0\dev\target\win\Release\Adobe Download Manager.pdb source: Reader_br_install.exe, 00000008.00000002.2369843802.0000000000D61000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\projects\node-ffi-napi\build\Release\ffi_bindings.pdb source: eETnl6XIwn.exe, 00000000.00000003.1323131278.000001C1C5780000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 5x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 5x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC7637
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC7637
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC687E
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC687E
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 5x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 5x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC7780
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC7637
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC7637
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC687E
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC687E

Networking

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727CED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727CED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727CED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://marijnhaverbeke.nl/git/acorn
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://narwhaljs.org)
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/16459606/376773
Source: eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/398120/376773
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/6155063/376773
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2540059119.0000000008506000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2712662169.000000000ACB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/0000000000000000000176ff
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1754837593.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1754155795.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2685703837.000000000A74A000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2712662169.000000000ACB2000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1786046430.000000000A720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017701
Source: Reader_br_install.exe, 00000008.00000003.1754155795.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017701rved.ccmp
Source: Reader_br_install.exe, 00000008.00000003.1754155795.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2712662169.000000000ACB2000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1786046430.000000000A720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017702
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2712662169.000000000ACB2000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1789331377.0000000008522000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1776334005.0000000008519000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2540059119.0000000008522000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1756215511.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017703
Source: Reader_br_install.exe, 00000008.00000003.1759403964.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1756977534.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1757768688.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1756215511.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017703.
Source: Reader_br_install.exe, 00000008.00000003.1757768688.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2712662169.000000000ACB2000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2540059119.0000000008538000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1775363722.0000000008530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017704
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1759403964.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1757768688.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2712662169.000000000ACB2000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1775363722.0000000008530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017706
Source: Reader_br_install.exe, 00000008.00000003.1757768688.0000000009B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017706rved.ccmp
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: Reader_br_install.exe, 00000008.00000003.1762078371.00000000085D9000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2540059119.00000000085D9000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1784002922.00000000085DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#assert
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#clear
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#table
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/14260)
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/14260)NewJSToWasmCompilationJobWasmMathIntrinsic:F64AcosWasmMathIntrinsic:F64As
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/7848
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7231#section-6.4
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7238
Source: eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Styling_messages
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/Navigator/platform#usage_notes
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#dom-event-stopimmediatepropagation
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#interface-abortcontroller
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#interface-eventtarget
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunk
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-flush
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-append
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-delete
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-get
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-set
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-sort-and-combine
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-request-mode
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#convert-header-names-to-a-sorted-lowercase-set
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-append
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-delete
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-get
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-getsetcookie
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-has
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-set
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-request
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-response
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-response-json
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-controller-abort
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-method
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-timing-info
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#header-list-contains
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#headers-class
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#http-whitespace
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#request-class
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#requestcache
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#requestcredentials
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#requestredirect
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#response-class
Source: Reader_br_install.exe, Reader_br_install.exe, 00000008.00000003.1704789560.000000000A691000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1716134636.000000000A720000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2433630279.000000000168A000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1731379604.0000000009CD0000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1681545899.00000000045F6000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1710818229.0000000008462000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2640882227.000000000A280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getbootstrap.com/)
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: eETnl6XIwn.exe, 00000000.00000003.1559421039.000001C1C55A5000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1523430608.000003359DFAD000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1499910678.000001C1C55A5000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1551976394.000001C1C55A5000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1490046295.000001C1C55A1000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1406672804.000001C1C58B3000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1494895096.000001C1C55A5000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1502749486.000001C1C55A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://git.io/debug_fd)
Source: eETnl6XIwn.exe, 00000000.00000003.1523430608.000003359DFAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://git.io/debug_fd)Q
Source: Reader_br_install.exe	String found in binary or memory: https://github.com/Fina
Source: Reader_br_install.exe, 00000008.00000002.2569442441.000000000879C000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1682271436.00000000045E2000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2559901896.00000000086AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Financial-Times/polyfill-service/issues/317
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/WICG/scheduling-apis
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn.git
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/issues
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/andrewrk/node-fd-slicer
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chalk/supports-color
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/denoland/deno
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/denoland/deno/blob/main/LICENSE.md.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/denoland/deno/blob/v1.29.1/ext/crypto/00_crypto.js#L195
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/estree/estree
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/react-native/pull/1632
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/heycam/webidl/pull/946.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/inspect-js/is-date-object/blob/main/index.js#L3-L11
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/isaacs/color-support.
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joyent/node/issues/1726
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/jsdom/webidl-conversions
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/jsdom/webidl-conversions/blob/master/LICENSE.md.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mafintosh/pump
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/medikoo/es6-symbol/issues/12
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/medikoo/es6-symbol/issues/13#issuecomment-164146149
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mozilla/sweet.js/wiki/design
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mysticatea/abort-controller
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/13435
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/34532
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35452
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39758
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/44985
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/45699
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/49472
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/49473
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/51486
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/52219
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/21313
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30958
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33515.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34385
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38248
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38614)
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/43714
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/46161
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/46528
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/49730#discussion_r1331720053
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/49891#issuecomment-1744673430.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/single-executable
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/undici/issues/2021
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sinonjs/fake-timers/blob/a4c757f80840829e45e0852ea1b17d87a998388e/src/fake-timers
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/thejoshwolfe/yauzl/issues/33
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/thejoshwolfe/yauzl/issues/47
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/thejoshwolfe/yauzl/issues/87
Source: Reader_br_install.exe, 00000008.00000003.1704789560.000000000A691000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2512824668.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1716134636.000000000A720000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1731379604.0000000009CD0000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1681545899.00000000045F6000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2640882227.000000000A280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/twbs/bootstrap/blob/main/LICENSE)
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://goo.gl/t5IS6M).
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/server-sent-events.html
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/server-sent-events.html#server-sent-events.org/
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/server-sent-events.html#sse-processing-model
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/server-sent-events.html#the-eventsource-interface
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/system-state.html#the-navigator-object
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-settings-attributes
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/web-messaging.html#broadcasting-to-other-browsing-contexts
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webstorage.html#webstorage
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://jimmy.warting.se/opensource
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: Reader_br_install.exe, 00000008.00000002.2512824668.0000000005A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comta
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ltp.sourceforge.net/coverage/lcov/geninfo.1.php
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathiasbynens.be/notes/globalthis
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mimesniff.spec.whatwg.org/#mime-type-essence
Source: Reader_br_install.exe	String found in binary or memory: https://mths.be/ar
Source: Reader_br_install.exe, 00000008.00000003.1658565014.00000000083FE000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2369843802.00000000010B6000.00000040.00000001.01000000.00000007.sdmp, Reader_br_install.exe, 00000008.00000003.1653035288.0000000008793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mths.be/array-from
Source: Reader_br_install.exe, Reader_br_install.exe, 00000008.00000002.2569442441.000000000879C000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1658565014.00000000083FE000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2369843802.00000000010B6000.00000040.00000001.01000000.00000007.sdmp, Reader_br_install.exe, 00000008.00000003.1653035288.0000000008793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mths.be/array-of
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://no-color.org/
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp, eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp, eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/fs.htmll
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/permissions.html#file-system-permissions
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v22.6.0/node-v22.6.0-headers.tar.gz
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v22.6.0/node-v22.6.0.tar.gz
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v22.6.0/win-x64/node.lib
Source: Reader_br_install.exe, 00000008.00000002.2688949280.000000000A846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p.typekit.net/
Source: Reader_br_install.exe, 00000008.00000002.2554845931.00000000085FD000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1664613949.00000000085F8000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p.typekit.net/p.gif
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000084BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p.typekit.net/p.gif?s=1&k=bxf0ivf&ht=tk&h=C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5CRea
Source: Reader_br_install.exe, 00000008.00000002.2688949280.000000000A846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p.typekit.net/y
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
Source: Reader_br_install.exe, 00000008.00000002.2688949280.000000000A846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io
Source: Reader_br_install.exe, 00000008.00000002.2540059119.000000000856B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/
Source: Reader_br_install.exe, Reader_br_install.exe, 00000008.00000002.2433630279.0000000001665000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2369843802.000000000100C000.00000040.00000001.01000000.00000007.sdmp, Reader_br_install.exe, 00000008.00000002.2511998604.0000000005530000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/adm/actionList
Source: Reader_br_install.exe, 00000008.00000002.2688949280.000000000A89E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/adm/actionList?installerName=readerdc64_br_ha_install.exe&defaultInstallerName=
Source: Reader_br_install.exe, 00000008.00000002.2688949280.000000000A89E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/adm/actionlist?installername=readerdc64_br_ha_install.exe&defaultinstallername=
Source: Reader_br_install.exe, 00000008.00000002.2540059119.00000000085B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/analytics/events
Source: Reader_br_install.exe, 00000008.00000002.2688949280.000000000AA3F000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2685703837.000000000A766000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2679294479.000000000A6F1000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2526902738.0000000008458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/analytics/events?UniqueId=2FD4D48C-D70B-41FD-A2CA-43B07053D4C5&abbr=rdr&admErro
Source: Reader_br_install.exe, 00000008.00000002.2369843802.0000000000D61000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://rdc.adobe.io/analytics/eventsanalyticstestWorkflowShowing
Source: Reader_br_install.exe, 00000008.00000002.2540059119.000000000856B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.ioCon
Source: Reader_br_install.exe, 00000008.00000002.2540059119.000000000856B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.ioW
Source: Reader_br_install.exe, 00000008.00000002.2540059119.000000000856B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.iong
Source: Reader_br_install.exe	String found in binary or memory: https://reactjs.org/docs/e
Source: Reader_br_install.exe, Reader_br_install.exe, 00000008.00000002.2650176410.000000000A3C0000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2631504109.000000000A17A000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1658565014.00000000083FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
Source: Reader_br_install.exe, 00000008.00000003.1677012830.0000000009A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=arguments.length
Source: Reader_br_install.exe	String found in binary or memory: https://reactjs.org/link/react-po
Source: Reader_br_install.exe, Reader_br_install.exe, 00000008.00000003.1675809558.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2652527759.000000000A40A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/link/react-polyfills
Source: Reader_br_install.exe, 00000008.00000002.2652527759.000000000A40A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/link/react-polyfillsThis
Source: Reader_br_install.exe, 00000008.00000003.1675809558.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/link/react-polyfillsn.unstable_shouldYieldn.unstable_forceFrameRate
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sourcemaps.info/spec.html
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://streams.spec.whatwg.org/#example-manual-write-with-backpressure
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://streams.spec.whatwg.org/#example-rbs-pull
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#eqn-modulo
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassContents
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassIntersection
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetCharacter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetExpression
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetOperand
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetRange
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetReservedDoublePunctuator
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetReservedPunctuator
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetSyntaxCharacter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassString
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassStringDisjunction
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassStringDisjunctionContents
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSubtraction
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassUnion
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-NestedClass
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-NonEmptyClassString
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-HostLoadImportedModule.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-timeclip
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-tonumber
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#table-typeof-operator-results
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/proposal-import-attributes/#table-cyclic-module-fields.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/source-map-spec/#linking-evald-code-to-named-generated-code
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/source-map-spec/#linking-generated-code
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#dom-urlsearchparams-urlsearchparams
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#forbidden-host-code-point
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: Reader_br_install.exe, 00000008.00000002.2433630279.0000000001697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/
Source: Reader_br_install.exe, 00000008.00000002.2433630279.0000000001697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/#
Source: Reader_br_install.exe, 00000008.00000002.2433630279.0000000001697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/S
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2558841233.0000000008691000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1667797925.0000000008690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2558841233.0000000008691000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1667797925.0000000008690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2558841233.0000000008691000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1667797925.0000000008690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2558841233.0000000008691000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1667797925.0000000008690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2558841233.0000000008691000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1667797925.0000000008690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2558841233.0000000008691000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1667797925.0000000008690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1661480642.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1661480642.0000000005A70000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2512824668.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2433630279.0000000001665000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1661480642.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1661480642.0000000005A70000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1661480642.0000000005A70000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1661480642.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2369843802.0000000001188000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.js
Source: Reader_br_install.exe, 00000008.00000002.2433630279.0000000001665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsEvent1256
Source: Reader_br_install.exe, 00000008.00000002.2433630279.0000000001697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsT
Source: Reader_br_install.exe, 00000008.00000002.2433630279.000000000162F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsemp
Source: Reader_br_install.exe, 00000008.00000002.2433630279.0000000001697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsh
Source: Reader_br_install.exe, 00000008.00000002.2655098842.000000000A448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsinitErrorMultipleInstanceRunningI
Source: Reader_br_install.exe, 00000008.00000003.1675809558.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsn.type
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://v8.dev/blog/v8-release-89
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://v8.dev/docs/stack-trace-api#customizing-stack-traces.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://v8.dev/docs/stack-trace-api.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/FileAPI/#creating-revoking
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dfn-mark-resource-timing
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dfn-setup-the-resource-timing-entry
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dom-performance-setresourcetimingbuffersize
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-referrer-policy/#referrer-policy
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/webcrypto/#SubtleCrypto-method-wrapKey
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/webcrypto/#algorithm-normalization-normalize-an-algorithm
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#Exposed
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#Exposed.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#abstract-opdef-converttoint
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#abstract-opdef-integerpart
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#dfn-default-iterator-object
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-DOMString
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-dictionary
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-invoking-callback-functions
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/#dom-websocket-close
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/#dom-websocket-send
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/#feedback-from-the-protocol
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc6266#section-4.3
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8288.html#section-3
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc9110#section-5.2
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/#interface-formdata

System Summary

Detected potential crypto function

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474	0_3_00007FF6A6AC6474
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00D74200	8_2_00D74200
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00D8B920	8_2_00D8B920
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFEC84138F3	9_2_00007FFEC84138F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFEC85450ED	9_2_00007FFEC85450ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFEC87F2C15	9_2_00007FFEC87F2C15

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 3208

PE file contains executable resources (Code or Archives)

Source: Reader_br_install.exe.0.dr

Static PE information: Resource name: RT_CURSOR type: PPMN archive data

Sample file is different than original file name gathered from version info

Source: eETnl6XIwn.exe, 00000000.00000000.1272053384.00007FF728DD7000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameAdobe Download Manager4 vs eETnl6XIwn

Searches for the Microsoft Outlook file path

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: eETnl6XIwn.exe, 00000000.00000000.1272053384.00007FF728A37000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: pI@@.vbpO[xllz

Source: classification engine

Classification label: mal60.evad.win@11/35@0/2

Source: C:\Users\user\Desktop\eETnl6XIwn.exe

File created: C:\Users\user\AppData\Roaming\ChromeApplication

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe_ADM.log
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe_GDE.log
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6752

Source: C:\Users\user\Desktop\eETnl6XIwn.exe

File created: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k

Jump to behavior

Source: eETnl6XIwn

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\eETnl6XIwn.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727CED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727CED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: Reader_br_install.exe	String found in binary or memory: .YcBa_mzdDBgkqhrKrsAk {\r\n padding-right: 0.75rem;\r\n padding-left: 0.75rem;\r\n}\r\n\r\n.KreO5lkqzKRYE6kMOpU8 {\r\n -ms-flex-direction: column;\r\n flex-direction: column;\r\n -ms-flex-align: start;\r\n align-items: flex-start;\r\n -ms-flex-pack: cen
Source: Reader_br_install.exe	String found in binary or memory: ortant;\r\n align-items: stretch !important;\r\n }\r\n .W43tG1Sz8VgKlzT3ABdI {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n }\r\n .jl0mwv_1IlwXKTHqWOiZ {\r\n -ms-flex-line-pack: end !important;\r\n
Source: Reader_br_install.exe	String found in binary or memory: -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n }\r\n .HR7PgL6swGh5IOFzTcX2 .UdZ9h4yDyt7zzl_efcFz {\r\n -ms-flex-direction: row;\r\n flex-direction: row;\r\n }\r\n .HR7PgL6swGh5IOFzTcX2 .UdZ9h4yDyt7zzl_efcFz .WNvdx4uqUWtr9A7ET3s8 {\r\
Source: Reader_br_install.exe	String found in binary or memory: ent: stretch !important;\r\n }\r\n .NwGQBmZqha0BBKoeteVu {\r\n -ms-flex-item-align: auto !important;\r\n align-self: auto !important;\r\n }\r\n .G9A3tlQ35wA03mx2tzqx {\r\n -ms-flex-item-align: start !important;\r\n align-self: flex-start !impor
Source: Reader_br_install.exe	String found in binary or memory: -basis: auto;\r\n }\r\n .HR7PgL6swGh5IOFzTcX2 .CnFifwIoADPUGp53LhF1 {\r\n display: none;\r\n }\r\n}\r\n\r\n.q2Zc28XrMrY0gB3RKQXQ {\r\n -ms-flex-flow: row nowrap;\r\n flex-flow: row nowrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\
Source: Reader_br_install.exe	String found in binary or memory: -start overline-position overline-thickness paint-order panose-1 pointer-events rendering-intent shape-rendering stop-color stop-opacity strikethrough-position strikethrough-thickness stroke-dasharray stroke-dashoffset stroke-linecap stroke-linejoin stroke-mit
Source: Reader_br_install.exe	String found in binary or memory: important;\r\n flex-shrink: 1 !important;\r\n}\r\n\r\n.DASZHkth1o5IOMZyhTDx {\r\n -ms-flex-pack: start !important;\r\n justify-content: flex-start !important;\r\n}\r\n\r\n.LAWb7Cbf0N5DYoYZseWF {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex
Source: Reader_br_install.exe	String found in binary or memory: ortant;\r\n }\r\n .vVfhGb47ZI1vy9SKdLAy {\r\n -ms-flex-negative: 1 !important;\r\n flex-shrink: 1 !important;\r\n }\r\n .EMKOqdcLxlLCtgNKAVN9 {\r\n -ms-flex-pack: start !important;\r\n justify-content: flex-start !important;\r\n }\r\n .y9ejXH
Source: Reader_br_install.exe	String found in binary or memory: Tlm_fbXuMQ2nOLx0w","justify-content-start":"DASZHkth1o5IOMZyhTDx","justify-content-end":"LAWb7Cbf0N5DYoYZseWF","justify-content-center":"FXBomI8D0oPm5hc8wxwA","justify-content-between":"wcoUwDW3XLAvF5XEHf_0","justify-content-around":"YZxKsrbvidFu366yCv8k","ali
Source: Reader_br_install.exe	String found in binary or memory: ive;\r\n clear: both;\r\n color: #747474;\r\n}\r\n\r\n.t05Iwfew2_SN9ralAOOg{\r\n display: flex;\r\n flex-direction: row;\r\n flex-wrap: nowrap;\r\n align-content: flex-end;\r\n justify-content: flex-start;\r\n align-items: flex-end;\r\n
Source: Reader_br_install.exe	String found in binary or memory: r\n\r\n.YZxKsrbvidFu366yCv8k {\r\n -ms-flex-pack: distribute !important;\r\n justify-content: space-around !important;\r\n}\r\n\r\n.kzhaT0Oba_fChd17ICcv {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n}\r\n\r\n.DfrSF9G_Nh
Source: Reader_br_install.exe	String found in binary or memory: n-items-start":"kzhaT0Oba_fChd17ICcv","align-items-end":"DfrSF9G_NhJxaBrTyI9E","align-items-center":"T2gjS8V2_aCimczn_mvA","align-items-baseline":"wvV162mt8CM64dJRJC_K","align-items-stretch":"uwleunsKzYZoW2nYlOE4","align-content-start":"Ux_l3vTkayi2Nq7VsaVG","
Source: Reader_br_install.exe	String found in binary or memory: s-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .JLhQyJ9YeJ2Xzm4rGI0o {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end !important;\r\n }\r\n .TnX6CLfh8vo_Q_DeYU2g {\r\n -ms-flex-align: center !im
Source: Reader_br_install.exe	String found in binary or memory: D5mLC","align-self-start":"OcYm86Cu28Oe4t9OrHGy","align-self-end":"Wie7fqOQFV_ARe1Jw09R","align-self-center":"M8kCN1fgOGwZVFJ3wLAX","align-self-baseline":"JItXRBa5bZTWWkWA6xmX","align-self-stretch":"B36uclNs4sxPZX9jLG__","flex-sm-row":"FXon3LqgryBtjQFqn4GA","f
Source: Reader_br_install.exe	String found in binary or memory: -sm-end":"PoT2qU4sMKBleURcc2cJ","justify-content-sm-center":"AVIeQzlddzrtDxIBXkKd","justify-content-sm-between":"ivJwQA579UzEbjI7CkZ_","justify-content-sm-around":"z68IWjEqXuP67bRb8eEp","align-items-sm-start":"fJTv_QJTsr6EO2H1q4V3","align-items-sm-end":"w8v8i3
Source: Reader_br_install.exe	String found in binary or memory: -content: flex-start !important;\r\n}\r\n\r\n.NeoGktt2uqAOkIls2tkD {\r\n -ms-flex-line-pack: end !important;\r\n align-content: flex-end !important;\r\n}\r\n\r\n.kFFYrbLbLECA7hshfgB4 {\r\n -ms-flex-line-pack: center !important;\r\n align-content: center !i
Source: Reader_br_install.exe	String found in binary or memory: tems: stretch !important;\r\n }\r\n .kaIxRiZtzxK_YyZMBHo_ {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n }\r\n .l1QG33TebFm8kJRTmnh7 {\r\n -ms-flex-line-pack: end !important;\r\n align-content: flex-en
Source: Reader_br_install.exe	String found in binary or memory: m-fill":"u1YXnOVKEBXskBSCSs3a","flex-sm-grow-0":"pTA2IbM_V1r02_TPX0UI","flex-sm-grow-1":"sqyvDuq49bOLfNqEjz0A","flex-sm-shrink-0":"jy6l038xpdoQswezbduh","flex-sm-shrink-1":"Yg3yT4aTUWCJKZ_TdkOf","justify-content-sm-start":"B5btvvlXn96uf7yGf1tR","justify-conten
Source: Reader_br_install.exe	String found in binary or memory: Oe4t9OrHGy {\r\n -ms-flex-item-align: start !important;\r\n align-self: flex-start !important;\r\n}\r\n\r\n.Wie7fqOQFV_ARe1Jw09R {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n}\r\n\r\n.M8kCN1fgOGwZVFJ3wLAX {\r\n -ms-fl
Source: Reader_br_install.exe	String found in binary or memory: t;\r\n }\r\n .f6I_MfERc6Cd5U2cvKdb {\r\n -ms-flex-item-align: auto !important;\r\n align-self: auto !important;\r\n }\r\n .Pakd8ChnH4Up3VZp_l0Z {\r\n -ms-flex-item-align: start !important;\r\n align-self: flex-start !important;\r\n }\r\n .gvN
Source: Reader_br_install.exe	String found in binary or memory: ontent-sm-center":"rs6O37pWC7u1S5Z7AqKq","align-content-sm-between":"AvkYlsb8a4Qk7FTtLTWw","align-content-sm-around":"tIvuVIVrKgJJmahhaGB0","align-content-sm-stretch":"R2YT8A6uP8B4pYQYkxAW","align-self-sm-auto":"IzdFJiZ2UCQMY9aGg_QA","align-self-sm-start":"iiY
Source: Reader_br_install.exe	String found in binary or memory: E57doJW3WhKMD","align-items-sm-center":"xPBnP81DTQHre7ixEe_q","align-items-sm-baseline":"Fv8YCtye3D9Er3k3sYNM","align-items-sm-stretch":"V6bazQgwJb2yoGr1NWeW","align-content-sm-start":"WLLVW2mH0bVmfnnPLwnf","align-content-sm-end":"uBmae9191R1zLELPax2t","align-
Source: Reader_br_install.exe	String found in binary or memory: N3FG_ZvWUbk","justify-content-md-center":"wx9l9CrohZahb5XLMrGW","justify-content-md-between":"ysWVT3V793_xoLXozo0y","justify-content-md-around":"cCZYopTiajqBE6zSF4mb","align-items-md-start":"THpMIn_rv9gXJ1zTlRSw","align-items-md-end":"GDHTGrjlGD0S0f1_DiJ5","al
Source: Reader_br_install.exe	String found in binary or memory: dkmOrnii5w","flex-md-grow-0":"suF3M9_Dg1jwPDHryUtV","flex-md-grow-1":"NgldPqvt9DiqtAbphcRj","flex-md-shrink-0":"InhTYOgC9dF8dQSb1MLY","flex-md-shrink-1":"OqqmkSrciAjIMRn4zhht","justify-content-md-start":"hkIpV6klVOwAo752VSvr","justify-content-md-end":"eLk5Kmez
Source: Reader_br_install.exe	String found in binary or memory: bloCsexp6x8udLz22rk2","align-content-md-between":"uWp4F7Ounu7u0Te5YKwV","align-content-md-around":"OMC677AvmKeE1p4wYc4O","align-content-md-stretch":"siLsDeIFzzp3f73tcP4e","align-self-md-auto":"TyEOK1C5iRz26TjBddI4","align-self-md-start":"xTvlYZBtMd3hxVUw0G1S",
Source: Reader_br_install.exe	String found in binary or memory: gn-items-md-center":"wtOokl2f_oejiBt8WE_w","align-items-md-baseline":"RZpDrGEVofFZ2OwqC2qL","align-items-md-stretch":"wekS_MR1HkGU6Ej1xqxk","align-content-md-start":"LkRjjQuLuuq2HISiPqJR","align-content-md-end":"owCZPOVjypht6ptEcPQB","align-content-md-center":
Source: Reader_br_install.exe	String found in binary or memory: \r\n justify-content: flex-start !important;\r\n }\r\n .PoT2qU4sMKBleURcc2cJ {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex-end !important;\r\n }\r\n .AVIeQzlddzrtDxIBXkKd {\r\n -ms-flex-pack: center !important;\r\n justify-c
Source: Reader_br_install.exe	String found in binary or memory: r\n align-items: flex-start;\r\n -ms-flex-pack: justify;\r\n justify-content: space-between;\r\n padding: 1rem 1rem;\r\n border-bottom: 1px solid #dee2e6;\r\n border-top-left-radius: calc(0.3rem - 1px);\r\n border-top-right-radius: calc(0.3rem - 1px);\r
Source: Reader_br_install.exe	String found in binary or memory: ace-around !important;\r\n }\r\n .fJTv_QJTsr6EO2H1q4V3 {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .w8v8i3VE57doJW3WhKMD {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end !important;\r
Source: Reader_br_install.exe	String found in binary or memory: fy-content-lg-center":"qOrqtkCp3ivHw7SVfILq","justify-content-lg-between":"LdfUwIH0FNecJPWWPrg1","justify-content-lg-around":"nVtckCgiojWEvbI_02td","align-items-lg-start":"SkBdZQ4j6W8eEExZe0hD","align-items-lg-end":"WAJbhUQHN23bq7qy5Sn4","align-items-lg-center
Source: Reader_br_install.exe	String found in binary or memory: g-grow-0":"dvvTGp7Qb5VsoLexKoAj","flex-lg-grow-1":"MF9RSy7GVU0ZJs8Gio4O","flex-lg-shrink-0":"lPtuBlsAx25tEyrdPW0j","flex-lg-shrink-1":"smDQGRg_vRvZ1zTRxO2O","justify-content-lg-start":"hz1rXkTClh20Fh5LFT5h","justify-content-lg-end":"mXqDCUtaC_JMHMad0ZwV","just
Source: Reader_br_install.exe	String found in binary or memory: oGr1NWeW {\r\n -ms-flex-align: stretch !important;\r\n align-items: stretch !important;\r\n }\r\n .WLLVW2mH0bVmfnnPLwnf {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n }\r\n .uBmae9191R1zLELPax2t {\r\n
Source: Reader_br_install.exe	String found in binary or memory: Z","align-content-lg-between":"LdgMALx6NBkuENMzr4hu","align-content-lg-around":"xvVZowOedjmKv3_WdsSA","align-content-lg-stretch":"dg_ZSacmql1QaJM9YFhk","align-self-lg-auto":"NwGQBmZqha0BBKoeteVu","align-self-lg-start":"G9A3tlQ35wA03mx2tzqx","align-self-lg-end"
Source: Reader_br_install.exe	String found in binary or memory: :"kd6x9h_3ZymIzA4bgzN7","align-items-lg-baseline":"KO8aNPXTLKYLQxI6em9l","align-items-lg-stretch":"Km2Za0W8caH7Y94_8Cii","align-content-lg-start":"W43tG1Sz8VgKlzT3ABdI","align-content-lg-end":"jl0mwv_1IlwXKTHqWOiZ","align-content-lg-center":"vKp44eIZBlsOKd5stI
Source: Reader_br_install.exe	String found in binary or memory: animation: none;\r\n }\r\n}\r\n\r\n.W6C_Cm_0CSNW7ljg2Y9l {\r\n display: -ms-flexbox;\r\n display: flex;\r\n -ms-flex-align: start;\r\n align-items: flex-start;\r\n}\r\n\r\n.xyiYCq7vZX3AEsLK_h4t {\r\n -ms-flex: 1;\r\n flex: 1;\r\n}\r\n\r\n.PUBma54SU2i4fY
Source: Reader_br_install.exe	String found in binary or memory: 5y_hpxB1Krrg","flex-xl-grow-1":"ysC1kPY5k3OAcyOOrAZF","flex-xl-shrink-0":"c7DdFRyXaVXxSNLm96SA","flex-xl-shrink-1":"vVfhGb47ZI1vy9SKdLAy","justify-content-xl-start":"EMKOqdcLxlLCtgNKAVN9","justify-content-xl-end":"y9ejXHhttjAEgovYXYMU","justify-content-xl-cent
Source: Reader_br_install.exe	String found in binary or memory: portant;\r\n align-self: flex-start !important;\r\n }\r\n .uq0dyk4fScobfEBVnATd {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n }\r\n .UpE4hJfsUm5TuZtTZvsv {\r\n -ms-flex-item-align: center !important;\r\n
Source: Reader_br_install.exe	String found in binary or memory: ent -installer is required but not provided." }, "ActionList_AlreadyExists": { "message": "Application already installed" }, "ActionList_Complete": { "message": "Installation complete" }, "ActionList_Cancelled": { "message": "C
Source: Reader_br_install.exe	String found in binary or memory: U2g","align-items-xl-baseline":"VtD1JQ5GGSN55msvqOuH","align-items-xl-stretch":"r3SPzoMrEJe9HyIuwWCJ","align-content-xl-start":"kaIxRiZtzxK_YyZMBHo_","align-content-xl-end":"l1QG33TebFm8kJRTmnh7","align-content-xl-center":"MV4EN51PwhHoa9MTCThc","align-content-
Source: Reader_br_install.exe	String found in binary or memory: r":"COPRSpy9kETB_SZQ4smx","justify-content-xl-between":"mYnlm8yqHdRJ8jWo0Ula","justify-content-xl-around":"SRf5p8hsCyhBY1KbbllG","align-items-xl-start":"AwPLyaWsRJ3kVfxTYAKZ","align-items-xl-end":"JLhQyJ9YeJ2Xzm4rGI0o","align-items-xl-center":"TnX6CLfh8vo_Q_De
Source: Reader_br_install.exe	String found in binary or memory: ft..." }, "ActionList_ErrorUpdateMessage": { "message": "Das Befehlszeilenargument -installer muss angegeben werden." }, "ActionList_AlreadyExists": { "message": "Die Anwendung ist bereits installiert." }, "ActionList_Comp
Source: Reader_br_install.exe	String found in binary or memory: n(i)()(o());a.push([r.id,".h3prVibJIx6xMWozlLvS{\r\n display: flex;\r\n flex-direction: row;\r\n flex-wrap: nowrap;\r\n align-content: flex-end;\r\n justify-content: flex-start;\r\n align-items: flex-end;\r\n}",""]),a.locals={container:"h3prV
Source: Reader_br_install.exe	String found in binary or memory: l-between":"ch_UlL0T5dkZlpBCGf6z","align-content-xl-around":"qeeJg8mLhC36_AtZhgPi","align-content-xl-stretch":"VnQjhwHZwYkSNDH0IDLS","align-self-xl-auto":"f6I_MfERc6Cd5U2cvKdb","align-self-xl-start":"Pakd8ChnH4Up3VZp_l0Z","align-self-xl-end":"gvNgooS8lRGqBrL8T
Source: Reader_br_install.exe	String found in binary or memory: : flex-start !important;\r\n }\r\n .eLk5KmeziN3FG_ZvWUbk {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex-end !important;\r\n }\r\n .wx9l9CrohZahb5XLMrGW {\r\n -ms-flex-pack: center !important;\r\n justify-content: center !importa
Source: Reader_br_install.exe	String found in binary or memory: r\n }\r\n .THpMIn_rv9gXJ1zTlRSw {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .GDHTGrjlGD0S0f1_DiJ5 {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end !important;\r\n }\r\n .wtOokl2f_oe
Source: Reader_br_install.exe	String found in binary or memory: lex-align: stretch !important;\r\n align-items: stretch !important;\r\n }\r\n .LkRjjQuLuuq2HISiPqJR {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n }\r\n .owCZPOVjypht6ptEcPQB {\r\n -ms-flex-line-pack:
Source: Reader_br_install.exe	String found in binary or memory: \n padding-right: 0;\r\n padding-left: 0;\r\n }\r\n}\r\n\r\n@media (min-width: 576px) {\r\n .bCwZiTNFMMbBWr3jcpcC {\r\n -ms-flex-flow: row nowrap;\r\n flex-flow: row nowrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n }\
Source: Reader_br_install.exe	String found in binary or memory: elf: flex-start !important;\r\n }\r\n .fZE3fFOWzrNpoqLg33AU {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n }\r\n .R1In6pl7PW91BoY3krKQ {\r\n -ms-flex-item-align: center !important;\r\n align-self: center !im
Source: Reader_br_install.exe	String found in binary or memory: che Fertig stellen und starten Sie den Installationsvorgang neu." }, "invalidSKU": { "message": "Das {0}-Installationsprogramm ist veraltet oder eine Datei wurde umbenannt. Klicken Sie auf Fertig stellen, um das aktuelle Installa
Source: Reader_br_install.exe	String found in binary or memory: wrap;\r\n flex-flow: row nowrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n }\r\n .yZVqwct25RQtg_rJyphu .UdZ9h4yDyt7zzl_efcFz {\r\n -ms-flex-direction: row;\r\n flex-direction: row;\r\n }\r\n .yZVqwct25RQtg_rJyphu .UdZ9h4
Source: Reader_br_install.exe	String found in binary or memory: ynnistyy." }, "Congratulations": { "message": "Onnittelut" }, "ActionList_Verify": { "message": "Tarkistetaan asennusta..." }, "ActionList_ErrorUpdateMessage": { "message": "Komentoriviargumentti -installer vaaditaan, mutta sit
Source: Reader_br_install.exe	String found in binary or memory: r appen starter." }, "Congratulations": { "message": "Gratulerer!" }, "ActionList_Verify": { "message": "Verifiserer installasjon ..." }, "ActionList_ErrorUpdateMessage": { "message": "Kommandolinjeargumentet -installasjonsprog
Source: Reader_br_install.exe	String found in binary or memory: ulations" }, "ActionList_Verify": { "message": "Verifying install..." }, "ActionList_ErrorUpdateMessage": { "message": "The command line argument -installer is required but not provided." }, "ActionList_AlreadyExists": { "messa
Source: Reader_br_install.exe	String found in binary or memory: flex-shrink: 0 !important;\r\n }\r\n .smDQGRg_vRvZ1zTRxO2O {\r\n -ms-flex-negative: 1 !important;\r\n flex-shrink: 1 !important;\r\n }\r\n .hz1rXkTClh20Fh5LFT5h {\r\n -ms-flex-pack: start !important;\r\n justify-content: flex-start !importan
Source: Reader_br_install.exe	String found in binary or memory: Z2nw {\r\n display: -ms-flexbox;\r\n display: flex;\r\n -ms-flex-wrap: wrap;\r\n flex-wrap: wrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n}\r\n\r\n.zL1_mT_7fs5uZHMuZ2nw .c1Sk1EYm7pv7nNnnoHS3 {\r\n width: auto;\r\n}\r\n\r\n.znKiFK8B
Source: Reader_br_install.exe	String found in binary or memory: : 0;\r\n }\r\n}\r\n\r\n@media (min-width: 992px) {\r\n .g82qRD5i9MRBdeNytiPv {\r\n -ms-flex-flow: row nowrap;\r\n flex-flow: row nowrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n }\r\n .g82qRD5i9MRBdeNytiPv .UdZ9h4yDyt7zzl_
Source: Reader_br_install.exe	String found in binary or memory: 8eEExZe0hD {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .WAJbhUQHN23bq7qy5Sn4 {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end !important;\r\n }\r\n .kd6x9h_3ZymIzA4bgzN7 {\r\n -ms-

Source: unknown	Process created: C:\Users\user\Desktop\eETnl6XIwn.exe "C:\Users\user\Desktop\eETnl6XIwn.exe"
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe C:\Users\user\AppData\Local\Temp\Reader_br_install.exe
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ChromeApplication'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Users\user\AppData\Roaming\ChromeApplication\chrome.exe C:\Users\user\AppData\Roaming\ChromeApplication\chrome.exe --own=746719
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 3208
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe "C:\Users\user\AppData\Local\Temp\Reader_br_install.exe" /RestartByRestartManager:8CE82F05-601B-48eb-B232-8AC552E9072E
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ChromeApplication'"	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe "C:\Users\user\AppData\Local\Temp\Reader_br_install.exe" /RestartByRestartManager:8CE82F05-601B-48eb-B232-8AC552E9072E	Jump to behavior

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: oleaccrc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: pgpmapih.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: oleaccrc.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: pgpmapih.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dxgidebug.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msiso.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mshtml.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: srpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: jscript9.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msimtf.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: d2d1.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ncryptsslp.dll

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: eETnl6XIwn

Static PE information: certificate valid

Source: eETnl6XIwn

Static PE information: More than 8191 > 100 exports found

Source: eETnl6XIwn

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: eETnl6XIwn

Static PE information: Image base 0x140000000 > 0x60000000

Source: eETnl6XIwn

Static file information: File size 52847880 > 1048576

Source: eETnl6XIwn	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x19ab400
Source: eETnl6XIwn	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1318400
Source: eETnl6XIwn	Static PE information: Raw size of .pdata is bigger than: 0x100000 < 0x12d000
Source: eETnl6XIwn	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x40d000

Source: eETnl6XIwn

Static PE information: More than 200 imports for KERNEL32.dll

Source: eETnl6XIwn	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eETnl6XIwn	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eETnl6XIwn	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eETnl6XIwn	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eETnl6XIwn	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eETnl6XIwn	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: eETnl6XIwn

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: eETnl6XIwn

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\node.exe\temp\node-v22.6.0\out\Release\node.pdb6 source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF728421000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\projects\ref-napi\build\Release\binding.pdb source: eETnl6XIwn.exe, 00000000.00000003.1321000032.000001C1C56BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\node.exe\temp\node-v22.6.0\out\Release\node.pdb source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF728421000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\rdcadm\jenkins\workspace\WindowsBuild\2.0\dev\target\win\Release\Adobe Download Manager.pdb source: Reader_br_install.exe, 00000008.00000002.2369843802.0000000000D61000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\projects\node-ffi-napi\build\Release\ffi_bindings.pdb source: eETnl6XIwn.exe, 00000000.00000003.1323131278.000001C1C5780000.00000004.00000020.00020000.00000000.sdmp

Source: eETnl6XIwn	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eETnl6XIwn	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eETnl6XIwn	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eETnl6XIwn	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eETnl6XIwn	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

PE file contains sections with non-standard names

Source: eETnl6XIwn	Static PE information: section name: _RDATA
Source: chrome.exe.0.dr	Static PE information: section name: _RDATA
Source: chrome.exe.0.dr	Static PE information: section name: .fptable
Source: 153a5d422243f7f95721f6c2c5de8c9d.node.0.dr	Static PE information: section name: .didat
Source: 153a5d422243f7f95721f6c2c5de8c9d.node.0.dr	Static PE information: section name: .00cfg
Source: d1f6e50334a50a3f1f8e35e02d788ad9.node.0.dr	Static PE information: section name: .didat
Source: d1f6e50334a50a3f1f8e35e02d788ad9.node.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6A88A5E push ecx; ret	0_3_00007FF6A6A88A8A
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC6633
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push edx; ret	0_3_00007FF6A6AC72B7
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC7D68
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC6633
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push edx; ret	0_3_00007FF6A6AC72B7
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC7D68
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC37B8 push ecx; ret	0_3_00007FF6A6AC37E4
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC37B8 push ecx; ret	0_3_00007FF6A6AC37E4
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6ACAEB8 push edx; ret	0_3_00007FF6A6ACAEE6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6ACAEB8 push edx; ret	0_3_00007FF6A6ACAEE6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC4447 push ecx; ret	0_3_00007FF6A6AC4468
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC4447 push ecx; ret	0_3_00007FF6A6AC4468
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC9278 push edx; ret	0_3_00007FF6A6AC92A6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC9278 push edx; ret	0_3_00007FF6A6AC92A6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC6633
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push edx; ret	0_3_00007FF6A6AC72B7
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC7D68
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC6633
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push edx; ret	0_3_00007FF6A6AC72B7
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC7D68
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC37B8 push ecx; ret	0_3_00007FF6A6AC37E4
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC37B8 push ecx; ret	0_3_00007FF6A6AC37E4
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6ACE0E8 push edx; ret	0_3_00007FF6A6ACE5B7
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6ACAEB8 push edx; ret	0_3_00007FF6A6ACAEE6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6ACAEB8 push edx; ret	0_3_00007FF6A6ACAEE6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC4447 push ecx; ret	0_3_00007FF6A6AC4468
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC4447 push ecx; ret	0_3_00007FF6A6AC4468
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC9278 push edx; ret	0_3_00007FF6A6AC92A6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC9278 push edx; ret	0_3_00007FF6A6AC92A6
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00F319CC push ecx; ret	8_2_00F319DF

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	File created: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\153a5d422243f7f95721f6c2c5de8c9d.node	Jump to dropped file
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	File created: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\d1f6e50334a50a3f1f8e35e02d788ad9.node	Jump to dropped file
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	File created: C:\Users\user\AppData\Roaming\ChromeApplication\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	File created: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	File created: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\153a5d422243f7f95721f6c2c5de8c9d.node			Jump to dropped file
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	File created: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\d1f6e50334a50a3f1f8e35e02d788ad9.node			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 40F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 46F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 4870000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 4890000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 8650000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 86F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 8710000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 98E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9940000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9F70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9FD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A030000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A0B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A110000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A130000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A1F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A220000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A240000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A280000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A2C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A340000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A3E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A420000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A4E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A550000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 8770000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9990000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 99B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9C70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9C90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9CB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9CD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: AA90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9CF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9F30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9D20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: CBA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9F10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: CB70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: CE30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: CE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A0D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: C980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: C780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: C7A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 3690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 3D50000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 3ED0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 3EF0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 7BD0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 7C70000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 7C90000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 8E80000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 8EE0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9510000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9570000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 95D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9650000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 96B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 96D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9790000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 97C0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 97E0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9800000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9820000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9940000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9980000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 99C0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9A80000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9AF0000 memory commit \| memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2538			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7236			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\153a5d422243f7f95721f6c2c5de8c9d.node			Jump to dropped file
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\d1f6e50334a50a3f1f8e35e02d788ad9.node			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5888

Thread sleep time: -4611686018427385s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe

Code function: 8_2_00F3255A VirtualQuery,GetSystemInfo,

8_2_00F3255A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Reader_br_install.exe, 00000008.00000002.2512824668.0000000005A5C000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2433630279.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Reader_br_install.exe, 00000008.00000002.2433630279.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe

Code function: 8_2_00D74200 LdrInitializeThunk,CreateEventW,CreateEventW,CreateEventW,CloseHandle,CloseHandle,CloseHandle,LdrInitializeThunk,GetLastError,CloseHandle,CloseHandle,CloseHandle,LdrInitializeThunk,GetLastError,CloseHandle,CloseHandle,CloseHandle,LdrInitializeThunk,GetLastError,CloseHandle,CloseHandle,CloseHandle,LdrInitializeThunk,GetLastError,CloseHandle,CloseHandle,CloseHandle,LdrInitializeThunk,GetLastError,CloseHandle,CloseHandle,CloseHandle,LdrInitializeThunk,GetLastError,CloseHandle,CloseHandle,CloseHandle,LdrInitializeThunk,GetLastError,GetLastError,CloseHandle,CloseHandle,CloseHandle,LdrInitializeThunk,WaitForMultipleObjects,MultiByteToWideChar,MultiByteToWideChar,PathFileExistsW,PathFileExistsW,PathIsDirectoryW,DeleteFileW,GetLastError,CreateFileW,WriteFile,CreateFileW,FlushFileBuffers,CloseHandle,CloseHandle,GetLastError,GetLastError,GetLastError,GetLastError,CertGetIssuerCertificateFromStore,CertGetNameStringW,LocalAlloc,CertGetNameStringW,LocalFree,CloseHandle,CloseHandle,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

8_2_00D74200

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe

Code function: 8_2_00F38D81 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00F38D81

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00F568F6 mov eax, dword ptr fs:[00000030h]		8_2_00F568F6
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00F48E3C mov ecx, dword ptr fs:[00000030h]		8_2_00F48E3C

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00F314FE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		8_2_00F314FE
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00F38D81 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		8_2_00F38D81

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ChromeApplication'"
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ChromeApplication'"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\eETnl6XIwn.exe

NtReadVirtualMemory: Indirect: 0x7FFF27E24331

Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe VolumeInformation

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	unknown	United States		53334	TUT-ASUS	false
89.117.72.231	unknown	Lithuania		15419	LRTC-ASLT	false

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.4% probability

Compliance

Source: eETnl6XIwn

Static PE information: certificate valid

Source: eETnl6XIwn

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\node.exe\temp\node-v22.6.0\out\Release\node.pdb6 source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF728421000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\projects\ref-napi\build\Release\binding.pdb source: eETnl6XIwn.exe, 00000000.00000003.1321000032.000001C1C56BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\node.exe\temp\node-v22.6.0\out\Release\node.pdb source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF728421000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\rdcadm\jenkins\workspace\WindowsBuild\2.0\dev\target\win\Release\Adobe Download Manager.pdb source: Reader_br_install.exe, 00000008.00000002.2369843802.0000000000D61000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\projects\node-ffi-napi\build\Release\ffi_bindings.pdb source: eETnl6XIwn.exe, 00000000.00000003.1323131278.000001C1C5780000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 5x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 5x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC7637
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC7637
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC687E
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC687E
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 5x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 5x nop then dec ebp	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC7780
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC7637
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec eax	0_3_00007FF6A6AC7637
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC687E
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 4x nop then dec ebp	0_3_00007FF6A6AC687E

Networking

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727CED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727CED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727CED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://marijnhaverbeke.nl/git/acorn
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://narwhaljs.org)
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/16459606/376773
Source: eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/398120/376773
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/6155063/376773
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2540059119.0000000008506000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2712662169.000000000ACB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/0000000000000000000176ff
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1754837593.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1754155795.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2685703837.000000000A74A000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2712662169.000000000ACB2000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1786046430.000000000A720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017701
Source: Reader_br_install.exe, 00000008.00000003.1754155795.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017701rved.ccmp
Source: Reader_br_install.exe, 00000008.00000003.1754155795.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2712662169.000000000ACB2000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1786046430.000000000A720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017702
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2712662169.000000000ACB2000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1789331377.0000000008522000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1776334005.0000000008519000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2540059119.0000000008522000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1756215511.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017703
Source: Reader_br_install.exe, 00000008.00000003.1759403964.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1756977534.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1757768688.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1756215511.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017703.
Source: Reader_br_install.exe, 00000008.00000003.1757768688.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2712662169.000000000ACB2000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2540059119.0000000008538000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1775363722.0000000008530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017704
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1759403964.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1757768688.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2712662169.000000000ACB2000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1775363722.0000000008530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017706
Source: Reader_br_install.exe, 00000008.00000003.1757768688.0000000009B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://typekit.com/eulas/000000000000000000017706rved.ccmp
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: Reader_br_install.exe, 00000008.00000003.1762078371.00000000085D9000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2540059119.00000000085D9000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1784002922.00000000085DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#assert
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#clear
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#table
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/14260)
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/14260)NewJSToWasmCompilationJobWasmMathIntrinsic:F64AcosWasmMathIntrinsic:F64As
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/7848
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7231#section-6.4
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7238
Source: eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Styling_messages
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/Navigator/platform#usage_notes
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#dom-event-stopimmediatepropagation
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#interface-abortcontroller
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#interface-eventtarget
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunk
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#encode-and-flush
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-append
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-delete
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-get
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-set
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-header-list-sort-and-combine
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-request-mode
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#convert-header-names-to-a-sorted-lowercase-set
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-append
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-delete
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-get
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-getsetcookie
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-has
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers-set
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-request
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-response
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-response-json
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-controller-abort
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-method
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#fetch-timing-info
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#header-list-contains
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#headers-class
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#http-whitespace
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#request-class
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#requestcache
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#requestcredentials
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#requestredirect
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#response-class
Source: Reader_br_install.exe, Reader_br_install.exe, 00000008.00000003.1704789560.000000000A691000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1716134636.000000000A720000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2433630279.000000000168A000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1731379604.0000000009CD0000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1681545899.00000000045F6000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1710818229.0000000008462000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2640882227.000000000A280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getbootstrap.com/)
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: eETnl6XIwn.exe, 00000000.00000003.1559421039.000001C1C55A5000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1523430608.000003359DFAD000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1499910678.000001C1C55A5000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1551976394.000001C1C55A5000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1490046295.000001C1C55A1000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1406672804.000001C1C58B3000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1494895096.000001C1C55A5000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1502749486.000001C1C55A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://git.io/debug_fd)
Source: eETnl6XIwn.exe, 00000000.00000003.1523430608.000003359DFAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://git.io/debug_fd)Q
Source: Reader_br_install.exe	String found in binary or memory: https://github.com/Fina
Source: Reader_br_install.exe, 00000008.00000002.2569442441.000000000879C000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1682271436.00000000045E2000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2559901896.00000000086AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Financial-Times/polyfill-service/issues/317
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/WICG/scheduling-apis
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn.git
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/issues
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/andrewrk/node-fd-slicer
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chalk/supports-color
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/denoland/deno
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/denoland/deno/blob/main/LICENSE.md.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/denoland/deno/blob/v1.29.1/ext/crypto/00_crypto.js#L195
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/estree/estree
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/facebook/react-native/pull/1632
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/heycam/webidl/pull/946.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/inspect-js/is-date-object/blob/main/index.js#L3-L11
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/isaacs/color-support.
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joyent/node/issues/1726
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/jsdom/webidl-conversions
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/jsdom/webidl-conversions/blob/master/LICENSE.md.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mafintosh/pump
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/medikoo/es6-symbol/issues/12
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/medikoo/es6-symbol/issues/13#issuecomment-164146149
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mozilla/sweet.js/wiki/design
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/mysticatea/abort-controller
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/13435
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/34532
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35452
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/39758
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/44985
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/45699
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/49472
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/49473
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/51486
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/issues/52219
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/21313
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/30958
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33515.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/34385
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38248
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/38614)
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/43714
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/46161
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/46528
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/49730#discussion_r1331720053
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/node/pull/49891#issuecomment-1744673430.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/single-executable
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/nodejs/undici/issues/2021
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/sinonjs/fake-timers/blob/a4c757f80840829e45e0852ea1b17d87a998388e/src/fake-timers
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/thejoshwolfe/yauzl/issues/33
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/thejoshwolfe/yauzl/issues/47
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/thejoshwolfe/yauzl/issues/87
Source: Reader_br_install.exe, 00000008.00000003.1704789560.000000000A691000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2512824668.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1716134636.000000000A720000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1731379604.0000000009CD0000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1681545899.00000000045F6000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2640882227.000000000A280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/twbs/bootstrap/blob/main/LICENSE)
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://goo.gl/t5IS6M).
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/server-sent-events.html
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/server-sent-events.html#server-sent-events.org/
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/server-sent-events.html#sse-processing-model
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/server-sent-events.html#the-eventsource-interface
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/system-state.html#the-navigator-object
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-settings-attributes
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/web-messaging.html#broadcasting-to-other-browsing-contexts
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/webstorage.html#webstorage
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://jimmy.warting.se/opensource
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: Reader_br_install.exe, 00000008.00000002.2512824668.0000000005A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comta
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ltp.sourceforge.net/coverage/lcov/geninfo.1.php
Source: eETnl6XIwn.exe, 00000000.00000003.1400265682.000001C1C566B000.00000004.00000020.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1414143866.0000000F036C1000.00000004.00001000.00020000.00000000.sdmp, eETnl6XIwn.exe, 00000000.00000003.1398670226.000001C1C5711000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathiasbynens.be/notes/globalthis
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mimesniff.spec.whatwg.org/#mime-type-essence
Source: Reader_br_install.exe	String found in binary or memory: https://mths.be/ar
Source: Reader_br_install.exe, 00000008.00000003.1658565014.00000000083FE000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2369843802.00000000010B6000.00000040.00000001.01000000.00000007.sdmp, Reader_br_install.exe, 00000008.00000003.1653035288.0000000008793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mths.be/array-from
Source: Reader_br_install.exe, Reader_br_install.exe, 00000008.00000002.2569442441.000000000879C000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1658565014.00000000083FE000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2369843802.00000000010B6000.00000040.00000001.01000000.00000007.sdmp, Reader_br_install.exe, 00000008.00000003.1653035288.0000000008793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mths.be/array-of
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://no-color.org/
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp, eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp, eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/fs.htmll
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/api/permissions.html#file-system-permissions
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v22.6.0/node-v22.6.0-headers.tar.gz
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v22.6.0/node-v22.6.0.tar.gz
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727DF0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nodejs.org/download/release/v22.6.0/win-x64/node.lib
Source: Reader_br_install.exe, 00000008.00000002.2688949280.000000000A846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p.typekit.net/
Source: Reader_br_install.exe, 00000008.00000002.2554845931.00000000085FD000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1664613949.00000000085F8000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p.typekit.net/p.gif
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000084BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p.typekit.net/p.gif?s=1&k=bxf0ivf&ht=tk&h=C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5CRea
Source: Reader_br_install.exe, 00000008.00000002.2688949280.000000000A846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p.typekit.net/y
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html).
Source: Reader_br_install.exe, 00000008.00000002.2688949280.000000000A846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io
Source: Reader_br_install.exe, 00000008.00000002.2540059119.000000000856B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/
Source: Reader_br_install.exe, Reader_br_install.exe, 00000008.00000002.2433630279.0000000001665000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2369843802.000000000100C000.00000040.00000001.01000000.00000007.sdmp, Reader_br_install.exe, 00000008.00000002.2511998604.0000000005530000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/adm/actionList
Source: Reader_br_install.exe, 00000008.00000002.2688949280.000000000A89E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/adm/actionList?installerName=readerdc64_br_ha_install.exe&defaultInstallerName=
Source: Reader_br_install.exe, 00000008.00000002.2688949280.000000000A89E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/adm/actionlist?installername=readerdc64_br_ha_install.exe&defaultinstallername=
Source: Reader_br_install.exe, 00000008.00000002.2540059119.00000000085B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/analytics/events
Source: Reader_br_install.exe, 00000008.00000002.2688949280.000000000AA3F000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2685703837.000000000A766000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2679294479.000000000A6F1000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2526902738.0000000008458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/analytics/events?UniqueId=2FD4D48C-D70B-41FD-A2CA-43B07053D4C5&abbr=rdr&admErro
Source: Reader_br_install.exe, 00000008.00000002.2369843802.0000000000D61000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://rdc.adobe.io/analytics/eventsanalyticstestWorkflowShowing
Source: Reader_br_install.exe, 00000008.00000002.2540059119.000000000856B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.ioCon
Source: Reader_br_install.exe, 00000008.00000002.2540059119.000000000856B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.ioW
Source: Reader_br_install.exe, 00000008.00000002.2540059119.000000000856B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.iong
Source: Reader_br_install.exe	String found in binary or memory: https://reactjs.org/docs/e
Source: Reader_br_install.exe, Reader_br_install.exe, 00000008.00000002.2650176410.000000000A3C0000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2631504109.000000000A17A000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1658565014.00000000083FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
Source: Reader_br_install.exe, 00000008.00000003.1677012830.0000000009A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=arguments.length
Source: Reader_br_install.exe	String found in binary or memory: https://reactjs.org/link/react-po
Source: Reader_br_install.exe, Reader_br_install.exe, 00000008.00000003.1675809558.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2652527759.000000000A40A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/link/react-polyfills
Source: Reader_br_install.exe, 00000008.00000002.2652527759.000000000A40A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/link/react-polyfillsThis
Source: Reader_br_install.exe, 00000008.00000003.1675809558.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/link/react-polyfillsn.unstable_shouldYieldn.unstable_forceFrameRate
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sourcemaps.info/spec.html
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://streams.spec.whatwg.org/#example-manual-write-with-backpressure
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://streams.spec.whatwg.org/#example-rbs-pull
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#eqn-modulo
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassContents
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassIntersection
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetCharacter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetExpression
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetOperand
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetRange
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetReservedDoublePunctuator
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetReservedPunctuator
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSetSyntaxCharacter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassString
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassStringDisjunction
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassStringDisjunctionContents
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassSubtraction
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-ClassUnion
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-NestedClass
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#prod-NonEmptyClassString
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-HostLoadImportedModule.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-timeclip
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#sec-tonumber
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/ecma262/#table-typeof-operator-results
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/proposal-import-attributes/#table-cyclic-module-fields.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/source-map-spec/#linking-evald-code-to-named-generated-code
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.es/source-map-spec/#linking-generated-code
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#dom-urlsearchparams-urlsearchparams
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#forbidden-host-code-point
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#url
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: Reader_br_install.exe, 00000008.00000002.2433630279.0000000001697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/
Source: Reader_br_install.exe, 00000008.00000002.2433630279.0000000001697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/#
Source: Reader_br_install.exe, 00000008.00000002.2433630279.0000000001697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/S
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2558841233.0000000008691000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1667797925.0000000008690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2558841233.0000000008691000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1667797925.0000000008690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2558841233.0000000008691000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1667797925.0000000008690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2558841233.0000000008691000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1667797925.0000000008690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2558841233.0000000008691000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1667797925.0000000008690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2558841233.0000000008691000.00000004.00000800.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1667797925.0000000008690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1661480642.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1661480642.0000000005A70000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2512824668.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2433630279.0000000001665000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1661480642.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1661480642.0000000005A70000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000002.2526902738.00000000083F0000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1661480642.0000000005A70000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000003.1665227327.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_br_install.exe, 00000008.00000003.1661480642.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2369843802.0000000001188000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.js
Source: Reader_br_install.exe, 00000008.00000002.2433630279.0000000001665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsEvent1256
Source: Reader_br_install.exe, 00000008.00000002.2433630279.0000000001697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsT
Source: Reader_br_install.exe, 00000008.00000002.2433630279.000000000162F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsemp
Source: Reader_br_install.exe, 00000008.00000002.2433630279.0000000001697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsh
Source: Reader_br_install.exe, 00000008.00000002.2655098842.000000000A448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsinitErrorMultipleInstanceRunningI
Source: Reader_br_install.exe, 00000008.00000003.1675809558.0000000009A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsn.type
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://v8.dev/blog/v8-release-89
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://v8.dev/docs/stack-trace-api#customizing-stack-traces.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://v8.dev/docs/stack-trace-api.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/FileAPI/#creating-revoking
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dfn-mark-resource-timing
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dfn-setup-the-resource-timing-entry
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/resource-timing/#dom-performance-setresourcetimingbuffersize
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/webappsec-referrer-policy/#referrer-policy
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/webcrypto/#SubtleCrypto-method-wrapKey
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://w3c.github.io/webcrypto/#algorithm-normalization-normalize-an-algorithm
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#Exposed
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#Exposed.
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#abstract-opdef-converttoint
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#abstract-opdef-integerpart
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#dfn-default-iterator-object
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-DOMString
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-dictionary
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://webidl.spec.whatwg.org/#es-invoking-callback-functions
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/#dom-websocket-close
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/#dom-websocket-send
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://websockets.spec.whatwg.org/#feedback-from-the-protocol
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc6266#section-4.3
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8288.html#section-3
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc9110#section-5.2
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/#interface-formdata

System Summary

Detected potential crypto function

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474	0_3_00007FF6A6AC6474
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474	0_3_00007FF6A6AC6474
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00D74200	8_2_00D74200
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00D8B920	8_2_00D8B920
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFEC84138F3	9_2_00007FFEC84138F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFEC85450ED	9_2_00007FFEC85450ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFEC87F2C15	9_2_00007FFEC87F2C15

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 3208

PE file contains executable resources (Code or Archives)

Source: Reader_br_install.exe.0.dr

Static PE information: Resource name: RT_CURSOR type: PPMN archive data

Sample file is different than original file name gathered from version info

Source: eETnl6XIwn.exe, 00000000.00000000.1272053384.00007FF728DD7000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameAdobe Download Manager4 vs eETnl6XIwn

Searches for the Microsoft Outlook file path

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: eETnl6XIwn.exe, 00000000.00000000.1272053384.00007FF728A37000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: pI@@.vbpO[xllz

Source: classification engine

Classification label: mal60.evad.win@11/35@0/2

Source: C:\Users\user\Desktop\eETnl6XIwn.exe

File created: C:\Users\user\AppData\Roaming\ChromeApplication

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe_ADM.log
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe_GDE.log
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6752

Source: C:\Users\user\Desktop\eETnl6XIwn.exe

File created: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k

Jump to behavior

Source: eETnl6XIwn

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\eETnl6XIwn.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727CED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF727CED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: Reader_br_install.exe	String found in binary or memory: .YcBa_mzdDBgkqhrKrsAk {\r\n padding-right: 0.75rem;\r\n padding-left: 0.75rem;\r\n}\r\n\r\n.KreO5lkqzKRYE6kMOpU8 {\r\n -ms-flex-direction: column;\r\n flex-direction: column;\r\n -ms-flex-align: start;\r\n align-items: flex-start;\r\n -ms-flex-pack: cen
Source: Reader_br_install.exe	String found in binary or memory: ortant;\r\n align-items: stretch !important;\r\n }\r\n .W43tG1Sz8VgKlzT3ABdI {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n }\r\n .jl0mwv_1IlwXKTHqWOiZ {\r\n -ms-flex-line-pack: end !important;\r\n
Source: Reader_br_install.exe	String found in binary or memory: -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n }\r\n .HR7PgL6swGh5IOFzTcX2 .UdZ9h4yDyt7zzl_efcFz {\r\n -ms-flex-direction: row;\r\n flex-direction: row;\r\n }\r\n .HR7PgL6swGh5IOFzTcX2 .UdZ9h4yDyt7zzl_efcFz .WNvdx4uqUWtr9A7ET3s8 {\r\
Source: Reader_br_install.exe	String found in binary or memory: ent: stretch !important;\r\n }\r\n .NwGQBmZqha0BBKoeteVu {\r\n -ms-flex-item-align: auto !important;\r\n align-self: auto !important;\r\n }\r\n .G9A3tlQ35wA03mx2tzqx {\r\n -ms-flex-item-align: start !important;\r\n align-self: flex-start !impor
Source: Reader_br_install.exe	String found in binary or memory: -basis: auto;\r\n }\r\n .HR7PgL6swGh5IOFzTcX2 .CnFifwIoADPUGp53LhF1 {\r\n display: none;\r\n }\r\n}\r\n\r\n.q2Zc28XrMrY0gB3RKQXQ {\r\n -ms-flex-flow: row nowrap;\r\n flex-flow: row nowrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\
Source: Reader_br_install.exe	String found in binary or memory: -start overline-position overline-thickness paint-order panose-1 pointer-events rendering-intent shape-rendering stop-color stop-opacity strikethrough-position strikethrough-thickness stroke-dasharray stroke-dashoffset stroke-linecap stroke-linejoin stroke-mit
Source: Reader_br_install.exe	String found in binary or memory: important;\r\n flex-shrink: 1 !important;\r\n}\r\n\r\n.DASZHkth1o5IOMZyhTDx {\r\n -ms-flex-pack: start !important;\r\n justify-content: flex-start !important;\r\n}\r\n\r\n.LAWb7Cbf0N5DYoYZseWF {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex
Source: Reader_br_install.exe	String found in binary or memory: ortant;\r\n }\r\n .vVfhGb47ZI1vy9SKdLAy {\r\n -ms-flex-negative: 1 !important;\r\n flex-shrink: 1 !important;\r\n }\r\n .EMKOqdcLxlLCtgNKAVN9 {\r\n -ms-flex-pack: start !important;\r\n justify-content: flex-start !important;\r\n }\r\n .y9ejXH
Source: Reader_br_install.exe	String found in binary or memory: Tlm_fbXuMQ2nOLx0w","justify-content-start":"DASZHkth1o5IOMZyhTDx","justify-content-end":"LAWb7Cbf0N5DYoYZseWF","justify-content-center":"FXBomI8D0oPm5hc8wxwA","justify-content-between":"wcoUwDW3XLAvF5XEHf_0","justify-content-around":"YZxKsrbvidFu366yCv8k","ali
Source: Reader_br_install.exe	String found in binary or memory: ive;\r\n clear: both;\r\n color: #747474;\r\n}\r\n\r\n.t05Iwfew2_SN9ralAOOg{\r\n display: flex;\r\n flex-direction: row;\r\n flex-wrap: nowrap;\r\n align-content: flex-end;\r\n justify-content: flex-start;\r\n align-items: flex-end;\r\n
Source: Reader_br_install.exe	String found in binary or memory: r\n\r\n.YZxKsrbvidFu366yCv8k {\r\n -ms-flex-pack: distribute !important;\r\n justify-content: space-around !important;\r\n}\r\n\r\n.kzhaT0Oba_fChd17ICcv {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n}\r\n\r\n.DfrSF9G_Nh
Source: Reader_br_install.exe	String found in binary or memory: n-items-start":"kzhaT0Oba_fChd17ICcv","align-items-end":"DfrSF9G_NhJxaBrTyI9E","align-items-center":"T2gjS8V2_aCimczn_mvA","align-items-baseline":"wvV162mt8CM64dJRJC_K","align-items-stretch":"uwleunsKzYZoW2nYlOE4","align-content-start":"Ux_l3vTkayi2Nq7VsaVG","
Source: Reader_br_install.exe	String found in binary or memory: s-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .JLhQyJ9YeJ2Xzm4rGI0o {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end !important;\r\n }\r\n .TnX6CLfh8vo_Q_DeYU2g {\r\n -ms-flex-align: center !im
Source: Reader_br_install.exe	String found in binary or memory: D5mLC","align-self-start":"OcYm86Cu28Oe4t9OrHGy","align-self-end":"Wie7fqOQFV_ARe1Jw09R","align-self-center":"M8kCN1fgOGwZVFJ3wLAX","align-self-baseline":"JItXRBa5bZTWWkWA6xmX","align-self-stretch":"B36uclNs4sxPZX9jLG__","flex-sm-row":"FXon3LqgryBtjQFqn4GA","f
Source: Reader_br_install.exe	String found in binary or memory: -sm-end":"PoT2qU4sMKBleURcc2cJ","justify-content-sm-center":"AVIeQzlddzrtDxIBXkKd","justify-content-sm-between":"ivJwQA579UzEbjI7CkZ_","justify-content-sm-around":"z68IWjEqXuP67bRb8eEp","align-items-sm-start":"fJTv_QJTsr6EO2H1q4V3","align-items-sm-end":"w8v8i3
Source: Reader_br_install.exe	String found in binary or memory: -content: flex-start !important;\r\n}\r\n\r\n.NeoGktt2uqAOkIls2tkD {\r\n -ms-flex-line-pack: end !important;\r\n align-content: flex-end !important;\r\n}\r\n\r\n.kFFYrbLbLECA7hshfgB4 {\r\n -ms-flex-line-pack: center !important;\r\n align-content: center !i
Source: Reader_br_install.exe	String found in binary or memory: tems: stretch !important;\r\n }\r\n .kaIxRiZtzxK_YyZMBHo_ {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n }\r\n .l1QG33TebFm8kJRTmnh7 {\r\n -ms-flex-line-pack: end !important;\r\n align-content: flex-en
Source: Reader_br_install.exe	String found in binary or memory: m-fill":"u1YXnOVKEBXskBSCSs3a","flex-sm-grow-0":"pTA2IbM_V1r02_TPX0UI","flex-sm-grow-1":"sqyvDuq49bOLfNqEjz0A","flex-sm-shrink-0":"jy6l038xpdoQswezbduh","flex-sm-shrink-1":"Yg3yT4aTUWCJKZ_TdkOf","justify-content-sm-start":"B5btvvlXn96uf7yGf1tR","justify-conten
Source: Reader_br_install.exe	String found in binary or memory: Oe4t9OrHGy {\r\n -ms-flex-item-align: start !important;\r\n align-self: flex-start !important;\r\n}\r\n\r\n.Wie7fqOQFV_ARe1Jw09R {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n}\r\n\r\n.M8kCN1fgOGwZVFJ3wLAX {\r\n -ms-fl
Source: Reader_br_install.exe	String found in binary or memory: t;\r\n }\r\n .f6I_MfERc6Cd5U2cvKdb {\r\n -ms-flex-item-align: auto !important;\r\n align-self: auto !important;\r\n }\r\n .Pakd8ChnH4Up3VZp_l0Z {\r\n -ms-flex-item-align: start !important;\r\n align-self: flex-start !important;\r\n }\r\n .gvN
Source: Reader_br_install.exe	String found in binary or memory: ontent-sm-center":"rs6O37pWC7u1S5Z7AqKq","align-content-sm-between":"AvkYlsb8a4Qk7FTtLTWw","align-content-sm-around":"tIvuVIVrKgJJmahhaGB0","align-content-sm-stretch":"R2YT8A6uP8B4pYQYkxAW","align-self-sm-auto":"IzdFJiZ2UCQMY9aGg_QA","align-self-sm-start":"iiY
Source: Reader_br_install.exe	String found in binary or memory: E57doJW3WhKMD","align-items-sm-center":"xPBnP81DTQHre7ixEe_q","align-items-sm-baseline":"Fv8YCtye3D9Er3k3sYNM","align-items-sm-stretch":"V6bazQgwJb2yoGr1NWeW","align-content-sm-start":"WLLVW2mH0bVmfnnPLwnf","align-content-sm-end":"uBmae9191R1zLELPax2t","align-
Source: Reader_br_install.exe	String found in binary or memory: N3FG_ZvWUbk","justify-content-md-center":"wx9l9CrohZahb5XLMrGW","justify-content-md-between":"ysWVT3V793_xoLXozo0y","justify-content-md-around":"cCZYopTiajqBE6zSF4mb","align-items-md-start":"THpMIn_rv9gXJ1zTlRSw","align-items-md-end":"GDHTGrjlGD0S0f1_DiJ5","al
Source: Reader_br_install.exe	String found in binary or memory: dkmOrnii5w","flex-md-grow-0":"suF3M9_Dg1jwPDHryUtV","flex-md-grow-1":"NgldPqvt9DiqtAbphcRj","flex-md-shrink-0":"InhTYOgC9dF8dQSb1MLY","flex-md-shrink-1":"OqqmkSrciAjIMRn4zhht","justify-content-md-start":"hkIpV6klVOwAo752VSvr","justify-content-md-end":"eLk5Kmez
Source: Reader_br_install.exe	String found in binary or memory: bloCsexp6x8udLz22rk2","align-content-md-between":"uWp4F7Ounu7u0Te5YKwV","align-content-md-around":"OMC677AvmKeE1p4wYc4O","align-content-md-stretch":"siLsDeIFzzp3f73tcP4e","align-self-md-auto":"TyEOK1C5iRz26TjBddI4","align-self-md-start":"xTvlYZBtMd3hxVUw0G1S",
Source: Reader_br_install.exe	String found in binary or memory: gn-items-md-center":"wtOokl2f_oejiBt8WE_w","align-items-md-baseline":"RZpDrGEVofFZ2OwqC2qL","align-items-md-stretch":"wekS_MR1HkGU6Ej1xqxk","align-content-md-start":"LkRjjQuLuuq2HISiPqJR","align-content-md-end":"owCZPOVjypht6ptEcPQB","align-content-md-center":
Source: Reader_br_install.exe	String found in binary or memory: \r\n justify-content: flex-start !important;\r\n }\r\n .PoT2qU4sMKBleURcc2cJ {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex-end !important;\r\n }\r\n .AVIeQzlddzrtDxIBXkKd {\r\n -ms-flex-pack: center !important;\r\n justify-c
Source: Reader_br_install.exe	String found in binary or memory: r\n align-items: flex-start;\r\n -ms-flex-pack: justify;\r\n justify-content: space-between;\r\n padding: 1rem 1rem;\r\n border-bottom: 1px solid #dee2e6;\r\n border-top-left-radius: calc(0.3rem - 1px);\r\n border-top-right-radius: calc(0.3rem - 1px);\r
Source: Reader_br_install.exe	String found in binary or memory: ace-around !important;\r\n }\r\n .fJTv_QJTsr6EO2H1q4V3 {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .w8v8i3VE57doJW3WhKMD {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end !important;\r
Source: Reader_br_install.exe	String found in binary or memory: fy-content-lg-center":"qOrqtkCp3ivHw7SVfILq","justify-content-lg-between":"LdfUwIH0FNecJPWWPrg1","justify-content-lg-around":"nVtckCgiojWEvbI_02td","align-items-lg-start":"SkBdZQ4j6W8eEExZe0hD","align-items-lg-end":"WAJbhUQHN23bq7qy5Sn4","align-items-lg-center
Source: Reader_br_install.exe	String found in binary or memory: g-grow-0":"dvvTGp7Qb5VsoLexKoAj","flex-lg-grow-1":"MF9RSy7GVU0ZJs8Gio4O","flex-lg-shrink-0":"lPtuBlsAx25tEyrdPW0j","flex-lg-shrink-1":"smDQGRg_vRvZ1zTRxO2O","justify-content-lg-start":"hz1rXkTClh20Fh5LFT5h","justify-content-lg-end":"mXqDCUtaC_JMHMad0ZwV","just
Source: Reader_br_install.exe	String found in binary or memory: oGr1NWeW {\r\n -ms-flex-align: stretch !important;\r\n align-items: stretch !important;\r\n }\r\n .WLLVW2mH0bVmfnnPLwnf {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n }\r\n .uBmae9191R1zLELPax2t {\r\n
Source: Reader_br_install.exe	String found in binary or memory: Z","align-content-lg-between":"LdgMALx6NBkuENMzr4hu","align-content-lg-around":"xvVZowOedjmKv3_WdsSA","align-content-lg-stretch":"dg_ZSacmql1QaJM9YFhk","align-self-lg-auto":"NwGQBmZqha0BBKoeteVu","align-self-lg-start":"G9A3tlQ35wA03mx2tzqx","align-self-lg-end"
Source: Reader_br_install.exe	String found in binary or memory: :"kd6x9h_3ZymIzA4bgzN7","align-items-lg-baseline":"KO8aNPXTLKYLQxI6em9l","align-items-lg-stretch":"Km2Za0W8caH7Y94_8Cii","align-content-lg-start":"W43tG1Sz8VgKlzT3ABdI","align-content-lg-end":"jl0mwv_1IlwXKTHqWOiZ","align-content-lg-center":"vKp44eIZBlsOKd5stI
Source: Reader_br_install.exe	String found in binary or memory: animation: none;\r\n }\r\n}\r\n\r\n.W6C_Cm_0CSNW7ljg2Y9l {\r\n display: -ms-flexbox;\r\n display: flex;\r\n -ms-flex-align: start;\r\n align-items: flex-start;\r\n}\r\n\r\n.xyiYCq7vZX3AEsLK_h4t {\r\n -ms-flex: 1;\r\n flex: 1;\r\n}\r\n\r\n.PUBma54SU2i4fY
Source: Reader_br_install.exe	String found in binary or memory: 5y_hpxB1Krrg","flex-xl-grow-1":"ysC1kPY5k3OAcyOOrAZF","flex-xl-shrink-0":"c7DdFRyXaVXxSNLm96SA","flex-xl-shrink-1":"vVfhGb47ZI1vy9SKdLAy","justify-content-xl-start":"EMKOqdcLxlLCtgNKAVN9","justify-content-xl-end":"y9ejXHhttjAEgovYXYMU","justify-content-xl-cent
Source: Reader_br_install.exe	String found in binary or memory: portant;\r\n align-self: flex-start !important;\r\n }\r\n .uq0dyk4fScobfEBVnATd {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n }\r\n .UpE4hJfsUm5TuZtTZvsv {\r\n -ms-flex-item-align: center !important;\r\n
Source: Reader_br_install.exe	String found in binary or memory: ent -installer is required but not provided." }, "ActionList_AlreadyExists": { "message": "Application already installed" }, "ActionList_Complete": { "message": "Installation complete" }, "ActionList_Cancelled": { "message": "C
Source: Reader_br_install.exe	String found in binary or memory: U2g","align-items-xl-baseline":"VtD1JQ5GGSN55msvqOuH","align-items-xl-stretch":"r3SPzoMrEJe9HyIuwWCJ","align-content-xl-start":"kaIxRiZtzxK_YyZMBHo_","align-content-xl-end":"l1QG33TebFm8kJRTmnh7","align-content-xl-center":"MV4EN51PwhHoa9MTCThc","align-content-
Source: Reader_br_install.exe	String found in binary or memory: r":"COPRSpy9kETB_SZQ4smx","justify-content-xl-between":"mYnlm8yqHdRJ8jWo0Ula","justify-content-xl-around":"SRf5p8hsCyhBY1KbbllG","align-items-xl-start":"AwPLyaWsRJ3kVfxTYAKZ","align-items-xl-end":"JLhQyJ9YeJ2Xzm4rGI0o","align-items-xl-center":"TnX6CLfh8vo_Q_De
Source: Reader_br_install.exe	String found in binary or memory: ft..." }, "ActionList_ErrorUpdateMessage": { "message": "Das Befehlszeilenargument -installer muss angegeben werden." }, "ActionList_AlreadyExists": { "message": "Die Anwendung ist bereits installiert." }, "ActionList_Comp
Source: Reader_br_install.exe	String found in binary or memory: n(i)()(o());a.push([r.id,".h3prVibJIx6xMWozlLvS{\r\n display: flex;\r\n flex-direction: row;\r\n flex-wrap: nowrap;\r\n align-content: flex-end;\r\n justify-content: flex-start;\r\n align-items: flex-end;\r\n}",""]),a.locals={container:"h3prV
Source: Reader_br_install.exe	String found in binary or memory: l-between":"ch_UlL0T5dkZlpBCGf6z","align-content-xl-around":"qeeJg8mLhC36_AtZhgPi","align-content-xl-stretch":"VnQjhwHZwYkSNDH0IDLS","align-self-xl-auto":"f6I_MfERc6Cd5U2cvKdb","align-self-xl-start":"Pakd8ChnH4Up3VZp_l0Z","align-self-xl-end":"gvNgooS8lRGqBrL8T
Source: Reader_br_install.exe	String found in binary or memory: : flex-start !important;\r\n }\r\n .eLk5KmeziN3FG_ZvWUbk {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex-end !important;\r\n }\r\n .wx9l9CrohZahb5XLMrGW {\r\n -ms-flex-pack: center !important;\r\n justify-content: center !importa
Source: Reader_br_install.exe	String found in binary or memory: r\n }\r\n .THpMIn_rv9gXJ1zTlRSw {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .GDHTGrjlGD0S0f1_DiJ5 {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end !important;\r\n }\r\n .wtOokl2f_oe
Source: Reader_br_install.exe	String found in binary or memory: lex-align: stretch !important;\r\n align-items: stretch !important;\r\n }\r\n .LkRjjQuLuuq2HISiPqJR {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n }\r\n .owCZPOVjypht6ptEcPQB {\r\n -ms-flex-line-pack:
Source: Reader_br_install.exe	String found in binary or memory: \n padding-right: 0;\r\n padding-left: 0;\r\n }\r\n}\r\n\r\n@media (min-width: 576px) {\r\n .bCwZiTNFMMbBWr3jcpcC {\r\n -ms-flex-flow: row nowrap;\r\n flex-flow: row nowrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n }\
Source: Reader_br_install.exe	String found in binary or memory: elf: flex-start !important;\r\n }\r\n .fZE3fFOWzrNpoqLg33AU {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n }\r\n .R1In6pl7PW91BoY3krKQ {\r\n -ms-flex-item-align: center !important;\r\n align-self: center !im
Source: Reader_br_install.exe	String found in binary or memory: che Fertig stellen und starten Sie den Installationsvorgang neu." }, "invalidSKU": { "message": "Das {0}-Installationsprogramm ist veraltet oder eine Datei wurde umbenannt. Klicken Sie auf Fertig stellen, um das aktuelle Installa
Source: Reader_br_install.exe	String found in binary or memory: wrap;\r\n flex-flow: row nowrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n }\r\n .yZVqwct25RQtg_rJyphu .UdZ9h4yDyt7zzl_efcFz {\r\n -ms-flex-direction: row;\r\n flex-direction: row;\r\n }\r\n .yZVqwct25RQtg_rJyphu .UdZ9h4
Source: Reader_br_install.exe	String found in binary or memory: ynnistyy." }, "Congratulations": { "message": "Onnittelut" }, "ActionList_Verify": { "message": "Tarkistetaan asennusta..." }, "ActionList_ErrorUpdateMessage": { "message": "Komentoriviargumentti -installer vaaditaan, mutta sit
Source: Reader_br_install.exe	String found in binary or memory: r appen starter." }, "Congratulations": { "message": "Gratulerer!" }, "ActionList_Verify": { "message": "Verifiserer installasjon ..." }, "ActionList_ErrorUpdateMessage": { "message": "Kommandolinjeargumentet -installasjonsprog
Source: Reader_br_install.exe	String found in binary or memory: ulations" }, "ActionList_Verify": { "message": "Verifying install..." }, "ActionList_ErrorUpdateMessage": { "message": "The command line argument -installer is required but not provided." }, "ActionList_AlreadyExists": { "messa
Source: Reader_br_install.exe	String found in binary or memory: flex-shrink: 0 !important;\r\n }\r\n .smDQGRg_vRvZ1zTRxO2O {\r\n -ms-flex-negative: 1 !important;\r\n flex-shrink: 1 !important;\r\n }\r\n .hz1rXkTClh20Fh5LFT5h {\r\n -ms-flex-pack: start !important;\r\n justify-content: flex-start !importan
Source: Reader_br_install.exe	String found in binary or memory: Z2nw {\r\n display: -ms-flexbox;\r\n display: flex;\r\n -ms-flex-wrap: wrap;\r\n flex-wrap: wrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n}\r\n\r\n.zL1_mT_7fs5uZHMuZ2nw .c1Sk1EYm7pv7nNnnoHS3 {\r\n width: auto;\r\n}\r\n\r\n.znKiFK8B
Source: Reader_br_install.exe	String found in binary or memory: : 0;\r\n }\r\n}\r\n\r\n@media (min-width: 992px) {\r\n .g82qRD5i9MRBdeNytiPv {\r\n -ms-flex-flow: row nowrap;\r\n flex-flow: row nowrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n }\r\n .g82qRD5i9MRBdeNytiPv .UdZ9h4yDyt7zzl_
Source: Reader_br_install.exe	String found in binary or memory: 8eEExZe0hD {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .WAJbhUQHN23bq7qy5Sn4 {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end !important;\r\n }\r\n .kd6x9h_3ZymIzA4bgzN7 {\r\n -ms-

Source: unknown	Process created: C:\Users\user\Desktop\eETnl6XIwn.exe "C:\Users\user\Desktop\eETnl6XIwn.exe"
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe C:\Users\user\AppData\Local\Temp\Reader_br_install.exe
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ChromeApplication'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Users\user\AppData\Roaming\ChromeApplication\chrome.exe C:\Users\user\AppData\Roaming\ChromeApplication\chrome.exe --own=746719
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 3208
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe "C:\Users\user\AppData\Local\Temp\Reader_br_install.exe" /RestartByRestartManager:8CE82F05-601B-48eb-B232-8AC552E9072E
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ChromeApplication'"	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe "C:\Users\user\AppData\Local\Temp\Reader_br_install.exe" /RestartByRestartManager:8CE82F05-601B-48eb-B232-8AC552E9072E	Jump to behavior

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: oleaccrc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: pgpmapih.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: oleaccrc.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: pgpmapih.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dxgidebug.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msiso.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mshtml.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: srpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: jscript9.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: msimtf.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: d2d1.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Section loaded: ncryptsslp.dll

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: eETnl6XIwn

Static PE information: certificate valid

Source: eETnl6XIwn

Static PE information: More than 8191 > 100 exports found

Source: eETnl6XIwn

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: eETnl6XIwn

Static PE information: Image base 0x140000000 > 0x60000000

Source: eETnl6XIwn

Static file information: File size 52847880 > 1048576

Source: eETnl6XIwn	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x19ab400
Source: eETnl6XIwn	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1318400
Source: eETnl6XIwn	Static PE information: Raw size of .pdata is bigger than: 0x100000 < 0x12d000
Source: eETnl6XIwn	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x40d000

Source: eETnl6XIwn

Static PE information: More than 200 imports for KERNEL32.dll

Source: eETnl6XIwn	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eETnl6XIwn	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eETnl6XIwn	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eETnl6XIwn	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eETnl6XIwn	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eETnl6XIwn	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: eETnl6XIwn

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: eETnl6XIwn

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\node.exe\temp\node-v22.6.0\out\Release\node.pdb6 source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF728421000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\projects\ref-napi\build\Release\binding.pdb source: eETnl6XIwn.exe, 00000000.00000003.1321000032.000001C1C56BA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\node.exe\temp\node-v22.6.0\out\Release\node.pdb source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF728421000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\rdcadm\jenkins\workspace\WindowsBuild\2.0\dev\target\win\Release\Adobe Download Manager.pdb source: Reader_br_install.exe, 00000008.00000002.2369843802.0000000000D61000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\projects\node-ffi-napi\build\Release\ffi_bindings.pdb source: eETnl6XIwn.exe, 00000000.00000003.1323131278.000001C1C5780000.00000004.00000020.00020000.00000000.sdmp

Source: eETnl6XIwn	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eETnl6XIwn	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eETnl6XIwn	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eETnl6XIwn	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eETnl6XIwn	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

PE file contains sections with non-standard names

Source: eETnl6XIwn	Static PE information: section name: _RDATA
Source: chrome.exe.0.dr	Static PE information: section name: _RDATA
Source: chrome.exe.0.dr	Static PE information: section name: .fptable
Source: 153a5d422243f7f95721f6c2c5de8c9d.node.0.dr	Static PE information: section name: .didat
Source: 153a5d422243f7f95721f6c2c5de8c9d.node.0.dr	Static PE information: section name: .00cfg
Source: d1f6e50334a50a3f1f8e35e02d788ad9.node.0.dr	Static PE information: section name: .didat
Source: d1f6e50334a50a3f1f8e35e02d788ad9.node.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6A88A5E push ecx; ret	0_3_00007FF6A6A88A8A
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC6633
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push edx; ret	0_3_00007FF6A6AC72B7
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC7D68
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC6633
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push edx; ret	0_3_00007FF6A6AC72B7
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC7D68
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC37B8 push ecx; ret	0_3_00007FF6A6AC37E4
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC37B8 push ecx; ret	0_3_00007FF6A6AC37E4
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6ACAEB8 push edx; ret	0_3_00007FF6A6ACAEE6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6ACAEB8 push edx; ret	0_3_00007FF6A6ACAEE6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC4447 push ecx; ret	0_3_00007FF6A6AC4468
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC4447 push ecx; ret	0_3_00007FF6A6AC4468
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC9278 push edx; ret	0_3_00007FF6A6AC92A6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC9278 push edx; ret	0_3_00007FF6A6AC92A6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC6633
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push edx; ret	0_3_00007FF6A6AC72B7
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC7D68
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC6633
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push edx; ret	0_3_00007FF6A6AC72B7
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC6474 push ecx; ret	0_3_00007FF6A6AC7D68
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC37B8 push ecx; ret	0_3_00007FF6A6AC37E4
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC37B8 push ecx; ret	0_3_00007FF6A6AC37E4
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6ACE0E8 push edx; ret	0_3_00007FF6A6ACE5B7
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6ACAEB8 push edx; ret	0_3_00007FF6A6ACAEE6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6ACAEB8 push edx; ret	0_3_00007FF6A6ACAEE6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC4447 push ecx; ret	0_3_00007FF6A6AC4468
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC4447 push ecx; ret	0_3_00007FF6A6AC4468
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC9278 push edx; ret	0_3_00007FF6A6AC92A6
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Code function: 0_3_00007FF6A6AC9278 push edx; ret	0_3_00007FF6A6AC92A6
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00F319CC push ecx; ret	8_2_00F319DF

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	File created: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\153a5d422243f7f95721f6c2c5de8c9d.node	Jump to dropped file
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	File created: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\d1f6e50334a50a3f1f8e35e02d788ad9.node	Jump to dropped file
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	File created: C:\Users\user\AppData\Roaming\ChromeApplication\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	File created: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	File created: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\153a5d422243f7f95721f6c2c5de8c9d.node			Jump to dropped file
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	File created: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\d1f6e50334a50a3f1f8e35e02d788ad9.node			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 40F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 46F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 4870000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 4890000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 8650000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 86F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 8710000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 98E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9940000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9F70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9FD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A030000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A0B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A110000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A130000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A1F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A220000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A240000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A280000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A2C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A340000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A3E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A420000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A4E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A550000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 8770000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9990000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 99B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9C70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9C90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9CB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9CD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: AA90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9CF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9F30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9D20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: CBA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9F10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: CB70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: CE30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: CE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: A0D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: C980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: C780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: C7A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 3690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 3D50000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 3ED0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 3EF0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 7BD0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 7C70000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 7C90000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 8E80000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 8EE0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9510000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9570000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 95D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9650000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 96B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 96D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9790000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 97C0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 97E0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9800000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9820000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9940000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9980000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 99C0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9A80000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Memory allocated: 9AF0000 memory commit \| memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2538			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7236			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\153a5d422243f7f95721f6c2c5de8c9d.node			Jump to dropped file
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\d1f6e50334a50a3f1f8e35e02d788ad9.node			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5888

Thread sleep time: -4611686018427385s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe

Code function: 8_2_00F3255A VirtualQuery,GetSystemInfo,

8_2_00F3255A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Reader_br_install.exe, 00000008.00000002.2512824668.0000000005A5C000.00000004.00000020.00020000.00000000.sdmp, Reader_br_install.exe, 00000008.00000002.2433630279.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Reader_br_install.exe, 00000008.00000002.2433630279.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: eETnl6XIwn.exe, 00000000.00000000.1252250904.00007FF7272ED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe

8_2_00D74200

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe

Code function: 8_2_00F38D81 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00F38D81

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00F568F6 mov eax, dword ptr fs:[00000030h]		8_2_00F568F6
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00F48E3C mov ecx, dword ptr fs:[00000030h]		8_2_00F48E3C

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00F314FE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		8_2_00F314FE
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Code function: 8_2_00F38D81 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		8_2_00F38D81

Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ChromeApplication'"
Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ChromeApplication'"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\eETnl6XIwn.exe

NtReadVirtualMemory: Indirect: 0x7FFF27E24331

Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\eETnl6XIwn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Reader_br_install.exe VolumeInformation

ID:	1541341
Product:	CloudBasic
Start time:	17:57:01
Start date:	24.10.2024
Sample:	eETnl6XIwn
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f3597861327b985e3fd109c1bf44eda1
SHA1:	587838a9242d3b8b063e07427fa95f900aa0842b
SHA256:	e8a8473c1e01688d370bbb1968b6361264c56a65ddbb31f8278ac618618f4efa
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Reader_br_instal_3c538356ddaa638aa0809fae5d939f70bcfcdc_cf57bafb_df279c42-ae9d-49ef-b143-5be695851715\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8F730F8F389C5BA89E44FB8DE3D4A680	2651A4A14DA7E6AFBD0747905CEC47742E1C8B1A	4B1C74A87531C5ACD706977F68DD3D2F9F2997EF3E90817E59BD4FA4EA35C5FE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9789.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Oct 24 15:59:23 2024, 0x1205a4 type	BF7AD8B48DBB2A513CEEA1207CBA55B5	D1AB11785827CDC1D88F76C8285CF1EEA52B0348	679C602AA839F6DCAED13B85316FC073DEA5AA8EF2F0D2CBEDEA1AE9C6E6A45A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER995F.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	AC2D49AD5694E2B061F43FE2DDBEB336	3E81A94A09CA3454E13F65989F65F1EAA7508AE4	008E9396120BAA1D6EE89F59F041A6593CC1E1FEA61D92A1E569E7703CEDDADD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER998F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	CADC08D2A5E94052CFDC70169FAAFA05	EC763E2B86643D3C5458CCE203708798FFBCCFC4	C6914F78DE48FBEB3DF5FAFC656E828201DCB63BF422FA10798695316308858E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\231[1]	data	5B9FB5F68BBB7F73785856DBCF7D64E2	328EF2600DEE4403274A99DEF96872964618F348	39F6D86143D0572E145C269455F3DD5CC6B732D3062B6CFB628BDDFCCE703378
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\bxf0ivf[1].js	Unicode text, UTF-8 text, with very long lines (2369)	CFE609917C9E7D4EED2C80563DED171B	2E5BBD88B040662BF8023FD6A9D55CC760008695	AD84B43FFD121E46AC4D2FA817B5863E4802C523BC3FB5E864DB28B3DB0E2514
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\d[1]	Web Open Font Format, CFF, length 39564, version 0.0	A870EE6A735514C321010F19CE3644D7	59FE54D58D3C53AF232A98A6EFA98170ECCEDD20	79E3A4E2C2274ACD602155924DC8C0B7C3AFDCD40450B2DFEDA302AD8E140649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\p[1].gif	GIF image data, version 89a, 1 x 1	81144D75B3E69E9AA2FA3E9D83A64D03	F0FBC60B50EDF5B2A0B76E0AA0537B76BF346FFC	9B9265C69A5CC295D1AB0D04E0273B3677DB1A6216CE2CCF4EFC8C277ED84B39
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\160[1]	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	AB2A2BC6C53F862BA5018B7A6EA76C08	3BF47FD954DC9DCE93DA87B0EA42F78488646A4E	240B1B561A404C5309587A17F3B0FBFF6ACEE2E816D565BDE1999C60CB00FC1F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\231[1]	data	5B9FB5F68BBB7F73785856DBCF7D64E2	328EF2600DEE4403274A99DEF96872964618F348	39F6D86143D0572E145C269455F3DD5CC6B732D3062B6CFB628BDDFCCE703378
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\d[1]	Web Open Font Format, CFF, length 40156, version 0.0	83E5380B9DC2077B664E383CF6FCF47E	D8AE10285EADED477A647A39293E9294958C0572	741A4BC7D04FC8385F9A1DB0CCC586A224F14233B08D764D37EA165163A247A0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\d[2]	Web Open Font Format, CFF, length 37480, version 0.0	EE10AE517D40542F597A9E0E2852B52B	D30F8C2467A4689844268B82E0E2ECFE3464CDAE	ED1815F9829E1F6A710FCDC182613F614F4887E39281E095360BEEC1CCC72348
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\d[3]	Web Open Font Format, CFF, length 39972, version 0.0	DF0CD5EDE266E9EA694C3D28209FCE9F	ECCA8585322A40CF1D0A479EBE67597ADF50E69D	5ECD3C64E4C0D1A51D13E2762BECB9E7DA2ACD30D670058A6B16761BE3E017DB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\160[1]	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	AB2A2BC6C53F862BA5018B7A6EA76C08	3BF47FD954DC9DCE93DA87B0EA42F78488646A4E	240B1B561A404C5309587A17F3B0FBFF6ACEE2E816D565BDE1999C60CB00FC1F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\bxf0ivf[1].js	Unicode text, UTF-8 text, with very long lines (2369)	CFE609917C9E7D4EED2C80563DED171B	2E5BBD88B040662BF8023FD6A9D55CC760008695	AD84B43FFD121E46AC4D2FA817B5863E4802C523BC3FB5E864DB28B3DB0E2514
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\d[1]	Web Open Font Format, CFF, length 39972, version 0.0	DF0CD5EDE266E9EA694C3D28209FCE9F	ECCA8585322A40CF1D0A479EBE67597ADF50E69D	5ECD3C64E4C0D1A51D13E2762BECB9E7DA2ACD30D670058A6B16761BE3E017DB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\d[2]	Web Open Font Format, CFF, length 40248, version 0.0	C26C1B68EDD07AB0069CF2EFE0886C1F	3579AED1FC9953159F817E57E7899849AC94EA85	72073CA6C71BCC781491B054C4325A663834082457FD896CB6E1E9931BF6E013
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\d[3]	Web Open Font Format, CFF, length 40596, version 0.0	590A9EEBC0AC0BA776529CBA1D5B718A	E1AA96B54C162F1DEA3CE203B45CD115051BA351	28195F698F74D701F5B253495756F7ECD70C50047C1F795952587E6F3E742B19
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\d[4]	Web Open Font Format, CFF, length 40248, version 0.0	C26C1B68EDD07AB0069CF2EFE0886C1F	3579AED1FC9953159F817E57E7899849AC94EA85	72073CA6C71BCC781491B054C4325A663834082457FD896CB6E1E9931BF6E013
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\d[1]	Web Open Font Format, CFF, length 37480, version 0.0	EE10AE517D40542F597A9E0E2852B52B	D30F8C2467A4689844268B82E0E2ECFE3464CDAE	ED1815F9829E1F6A710FCDC182613F614F4887E39281E095360BEEC1CCC72348
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\d[2]	Web Open Font Format, CFF, length 40596, version 0.0	590A9EEBC0AC0BA776529CBA1D5B718A	E1AA96B54C162F1DEA3CE203B45CD115051BA351	28195F698F74D701F5B253495756F7ECD70C50047C1F795952587E6F3E742B19
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\d[3]	Web Open Font Format, CFF, length 40156, version 0.0	83E5380B9DC2077B664E383CF6FCF47E	D8AE10285EADED477A647A39293E9294958C0572	741A4BC7D04FC8385F9A1DB0CCC586A224F14233B08D764D37EA165163A247A0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\d[4]	Web Open Font Format, CFF, length 39564, version 0.0	A870EE6A735514C321010F19CE3644D7	59FE54D58D3C53AF232A98A6EFA98170ECCEDD20	79E3A4E2C2274ACD602155924DC8C0B7C3AFDCD40450B2DFEDA302AD8E140649
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F354F19F2F7B3CE84E04C3110C16176F	0062B4581FD28D057C785EF879F38A43FDA054C3	27F2770F482AC6F0AB04EBC72A307D4A96048D3DB5A603A2B648253BA07BD805
C:\Users\user\AppData\Local\Temp\Adobe_ADMLogs\Adobe_ADM.log	Unicode text, UTF-16, little-endian text, with very long lines (535), with CRLF line terminators	527677AD58A342B543C5F0FE620BB15A	673137AD59CFE77790FA65C95614E93FA5362CDC	5DD5252B25B820AA654F28BEECBAF908D142831F317303EE47F233A16BF96CE3
C:\Users\user\AppData\Local\Temp\Adobe_ADMLogs\Adobe_GDE.log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	A50E213970B0EC615529AE1D65FBCEFE	18BD00DE50F3E4AD675239429EB60C02E2CA7311	54EDE2BCBFCB93A7E6240C4F8B57EDF1DB10E9C4DAE9552584E4842692D552EA
C:\Users\user\AppData\Local\Temp\Reader_br_install.exe	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed	EACF7B2ABA850CF3D69D2A8830732FC2	17FDCC7765CB51079B7BECA46F53429DAC865EF2	02F2FFBF79559EF7004AA33C8672871F6CE1B645776D128640BAA0090FE7906B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00vnib24.mvh.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3qxi25y5.lqx.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g0ljgvef.k0w.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pr3vlbq1.bpx.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\153a5d422243f7f95721f6c2c5de8c9d.node	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	153A5D422243F7F95721F6C2C5DE8C9D	B0F73501859500ACD1ECCBFF3D790ABB610511EF	837CB201A460A44D025689218D3B0E588AE3EDBCD6AB11F415B147B5331CC843
C:\Users\user\AppData\Local\Temp\amd_64_browser.inf.resources_pi905f2cs0550a3a_7.2.22992.0_none_21yyw11db43e3187k\d1f6e50334a50a3f1f8e35e02d788ad9.node	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	D1F6E50334A50A3F1F8E35E02D788AD9	1EAB95B23D8EF82BB3171ED751EB14E178CB88D2	B0E0C6AD80FCCC92A41F644AFE3AD1D7E4EBCAC9CAA94A9CCF4EAA0DEA2247E3
C:\Users\user\AppData\Roaming\ChromeApplication\chrome.exe	PE32+ executable (GUI) x86-64, for MS Windows	36E1AA692E30CF70BDF28FA094F69C0C	578D76B15FA1B74C1913CB3AA77625997EAE4466	4E3368E5F95C33081868679E415CD16DA043BDCD719D482EF2B00A2D7EF71CB2
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	4FDB5E8DA6FDE95420B0631001C7153D	56DA2D8287A9019200BFCDC7087F14C9F0F0B000	09C07CE5308CCA4FB0F6AD2660FADB694ECBE70C2C088B2468EDD8C51DA82B52

Windows Analysis Report eETnl6XIwn

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
eETnl6XIwn