Windows Analysis Report
goXq0JH6sn.exe

Overview

General Information

Sample name: goXq0JH6sn.exe
renamed because original name is a hash value
Original sample name: 11129aad3b5baa1d118ec0ee3922278c194e43f6e2f0fcef221c65e5f4490d3b.exe
Analysis ID: 1543069
MD5: 523d6d251e5f8f9d7db1a3645967e72e
SHA1: aca4932ac18f5c0227ee85e01da35a0b66285424
SHA256: 11129aad3b5baa1d118ec0ee3922278c194e43f6e2f0fcef221c65e5f4490d3b
Tags: BlackBastaexeuser-JAMESWT_MHT
Infos:

Detection

BlackBasta
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected BlackBasta ransomware
AI detected suspicious sample
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Deletes shadow drive data (may be related to ransomware)
Drops a file containing file decryption instructions (likely related to ransomware)
Drops executable to a common third party application directory
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Injects code into the Windows Explorer (explorer.exe)
May disable shadow drive data (uses vssadmin)
Monitors registry run keys for changes
Potential evasive VBS script found (sleep loop)
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Abnormal high CPU Usage
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Module File Created By Non-PowerShell Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Black Basta "Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: goXq0JH6sn.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: goXq0JH6sn.exe ReversingLabs: Detection: 50%
Source: goXq0JH6sn.exe Virustotal: Detection: 57% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Uses 32bit PE files
Source: goXq0JH6sn.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\7-Zip\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Internet Explorer\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\MSBuild\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Uninstall Information\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Mail\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows NT\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Security\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\7-Zip\Lang\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Services\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Internet Explorer\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Internet Explorer\images\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Microsoft\OneDrive\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender\Platform\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows NT\Accessories\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows NT\TableTextService\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Esl\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\VGX\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\ado\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\msadc\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\Ole DB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows NT\Accessories\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows NT\Accessories\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows NT\TableTextService\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Javascripts\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\CMap\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\SaslPrep\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OnlineInteraction\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\ado\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\msadc\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\Ole DB\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ar_AE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\cs_CZ\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\da_DK\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\de_DE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\el_GR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_AE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\es_ES\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fi_FI\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_FR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_MA\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\he_IL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\hu_HU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\it_IT\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ja_JP\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ko_KR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nb_NO\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nl_NL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pl_PL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pt_BR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ru_RU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sk_SK\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sl_SI\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sv_SE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\tr_TR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\uk_UA\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_CN\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_TW\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\en_US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\prc\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\Pfm\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\Unicode\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\{AC76BA86-1033-1033-7760-BC15014EA700}\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Extensions\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\MEIPreload\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\WidevineCdm\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\instructions_read_me.txt Jump to behavior
Source: goXq0JH6sn.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSPPREARM.EXE.3.dr
Source: Binary string: pingsender.pdb source: pingsender.exe.3.dr
Source: Binary string: D:\a\_work\1\s\build\external\msix-sdk\bin\msix.pdb source: msix.dll.3.dr
Source: Binary string: mavinject32.pdbGCTL source: MavInject32.exe.3.dr
Source: Binary string: AppVISVSubsystems32.pdb source: AppvIsvSubsystems32.dll.3.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb source: OSPPREARM.EXE.3.dr
Source: Binary string: msvcr120.amd64.pdb source: msvcr120.dll.3.dr
Source: Binary string: AppVISVSubsystems32.pdbGCTL source: AppvIsvSubsystems32.dll.3.dr
Source: Binary string: AppVIntegration.pdbGCTL source: AppVIntegration.dll.3.dr
Source: Binary string: D:\a\_work\1\s\build\external\msix-sdk\bin\msix.pdbTT$GCTL source: msix.dll.3.dr
Source: Binary string: mavinject32.pdb source: MavInject32.exe.3.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.3.dr
Source: Binary string: AppVIntegration.pdb source: AppVIntegration.dll.3.dr

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\7-zip.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\vcruntime140_1.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\7z.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\7-zip32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\notificationserver.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\freebl3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\libEGL.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\xul.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\mozwer.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\7zFM.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\nssckbi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\7z.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\lgpllibs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\osclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\gkcodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\nss3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\qipcap64.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\7zG.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\mozavutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\softokn3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\mozavcodec.dll Jump to behavior

Networking
barindex
Found Tor onion address
Source: explorer.exe, 00000003.00000003.2370813409.0000000004A80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt105.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt148.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt56.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt57.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt133.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt191.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: omni.ja0.3.dr String found in binary or memory: http://127.0.0.1:
Source: pingsender.exe.3.dr, softokn3.dll.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: pingsender.exe.3.dr, qipcap64.dll.3.dr, icucnv67.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: pingsender.exe.3.dr, softokn3.dll.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: icucnv67.dll.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: pingsender.exe.3.dr, qipcap64.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: pingsender.exe.3.dr, qipcap64.dll.3.dr, icucnv67.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Au3Check.exe.3.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Au3Check.exe.3.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Au3Check.exe.3.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: api-ms-win-crt-utility-l1-1-0.dll.3.dr String found in binary or memory: http://crl.micros
Source: msix.dll.3.dr String found in binary or memory: http://crl.microsoft.
Source: qipcap64.dll.3.dr String found in binary or memory: http://crl3.digicert.com/D
Source: pingsender.exe.3.dr, icucnv67.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: pingsender.exe.3.dr, qipcap64.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: icucnv67.dll.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: pingsender.exe.3.dr, icucnv67.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: icucnv67.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: pingsender.exe.3.dr, qipcap64.dll.3.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: pingsender.exe.3.dr, qipcap64.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: icucnv67.dll.3.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: pingsender.exe.3.dr, qipcap64.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: omni.ja0.3.dr String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: omni.ja0.3.dr String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: omni.ja0.3.dr String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: omni.ja0.3.dr String found in binary or memory: http://dev.w3.org/html5/spec/rendering.html#rendering
Source: omni.ja0.3.dr String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: omni.ja0.3.dr String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: AppvIsvSubsystems32.dll.3.dr String found in binary or memory: http://file://sftldr.dllsftldr_wow64.dllIsProcessHookedAppVEntSubsystems32.dllAppVIsvSubsystems32.C
Source: omni.ja0.3.dr String found in binary or memory: http://jsperf.com/code-review-1480
Source: omni.ja0.3.dr String found in binary or memory: http://mozilla.or$5
Source: omni.ja0.3.dr String found in binary or memory: http://mozilla.org
Source: omni.ja0.3.dr String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: qipcap64.dll.3.dr String found in binary or memory: http://ocsp.RV
Source: icucnv67.dll.3.dr String found in binary or memory: http://ocsp.digicert.com0
Source: pingsender.exe.3.dr, qipcap64.dll.3.dr, icucnv67.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: pingsender.exe.3.dr, qipcap64.dll.3.dr, icucnv67.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: pingsender.exe.3.dr, softokn3.dll.3.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: pingsender.exe.3.dr, qipcap64.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Au3Check.exe.3.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Au3Check.exe.3.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Au3Check.exe.3.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Au3Check.exe.3.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Au3Check.exe.3.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: pingsender.exe.3.dr, qipcap64.dll.3.dr, icucnv67.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: omni.ja0.3.dr String found in binary or memory: http://www.ethiopic.org/Collation/OrderedLists.html.
Source: msix.dll.3.dr String found in binary or memory: http://www.microsoft.co
Source: omni.ja0.3.dr String found in binary or memory: http://www.mozilla.org/key
Source: omni.ja0.3.dr String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: omni.ja0.3.dr String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul);
Source: omni.ja0.3.dr String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml);
Source: AppVIntegration.dll.3.dr String found in binary or memory: http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://xml.org/s
Source: omni.ja0.3.dr String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: omni.ja0.3.dr String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: omni.ja0.3.dr String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: omni.ja0.3.dr String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: omni.ja0.3.dr String found in binary or memory: https://api.accounts.firefox.com/v1
Source: omni.ja0.3.dr String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: explorer.exe, 00000003.00000003.2370813409.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, instructions_read_me.txt105.3.dr, instructions_read_me.txt148.3.dr, instructions_read_me.txt56.3.dr, instructions_read_me.txt57.3.dr, instructions_read_me.txt133.3.dr, instructions_read_me.txt191.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: omni.ja0.3.dr String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: omni.ja0.3.dr String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: omni.ja0.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1403293
Source: omni.ja0.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: omni.ja0.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: omni.ja0.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1592344
Source: omni.ja0.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: omni.ja0.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: omni.ja0.3.dr String found in binary or memory: https://crbug.com/993268
Source: omni.ja0.3.dr String found in binary or memory: https://dap-02.api.divviup.org
Source: omni.ja0.3.dr String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.5
Source: omni.ja0.3.dr String found in binary or memory: https://design.firefox.com/photon/components/message-bars.html#type-specific-style
Source: omni.ja0.3.dr String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: omni.ja0.3.dr String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: omni.ja0.3.dr String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: omni.ja0.3.dr String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#E
Source: omni.ja0.3.dr String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: omni.ja0.3.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: omni.ja0.3.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Places/Frecency_algorithm
Source: omni.ja0.3.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: omni.ja0.3.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: omni.ja0.3.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: omni.ja0.3.dr String found in binary or memory: https://developers.google.c
Source: omni.ja0.3.dr String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: omni.ja0.3.dr String found in binary or memory: https://drafts.csswg.org/css-lists-3/#ua-stylesheet
Source: omni.ja0.3.dr String found in binary or memory: https://drafts.csswg.org/css-scoping/#slots-in-shadow-tree
Source: omni.ja0.3.dr String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: omni.ja0.3.dr String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: omni.ja0.3.dr String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: omni.ja0.3.dr String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: omni.ja0.3.dr String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: omni.ja0.3.dr String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: omni.ja0.3.dr String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: omni.ja0.3.dr String found in binary or memory: https://github.com/mozilla-services/autograph/blob/main/signer/contentsignaturepki/README.md
Source: omni.ja0.3.dr String found in binary or memory: https://github.com/stylelint/stylelint/issues/6834
Source: omni.ja0.3.dr String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: omni.ja0.3.dr String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/1072
Source: omni.ja0.3.dr String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: omni.ja0.3.dr String found in binary or memory: https://github.com/whatwg/html/issues/8610
Source: omni.ja0.3.dr String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: omni.ja0.3.dr String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: omni.ja0.3.dr String found in binary or memory: https://html.spec.whatwg.org/#bidi-rendering
Source: omni.ja0.3.dr String found in binary or memory: https://html.spec.whatwg.org/#flow-content-3
Source: omni.ja0.3.dr String found in binary or memory: https://html.spec.whatwg.org/#hidden-elements
Source: omni.ja0.3.dr String found in binary or memory: https://html.spec.whatwg.org/#the-details-and-summary-elements
Source: omni.ja0.3.dr String found in binary or memory: https://html.spec.whatwg.org/#the-hr-element-2
Source: omni.ja0.3.dr String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: omni.ja0.3.dr String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: omni.ja0.3.dr String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: omni.ja0.3.dr String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: omni.ja0.3.dr String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: omni.ja0.3.dr String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: omni.ja0.3.dr String found in binary or memory: https://mathiasbynens.be/
Source: omni.ja0.3.dr String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding#surrogate-formulae
Source: omni.ja0.3.dr String found in binary or memory: https://mathiasbynens.be/notes/javascript-escapes#single
Source: omni.ja0.3.dr String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: pingsender.exe.3.dr, qipcap64.dll.3.dr String found in binary or memory: https://mozilla.org0/
Source: omni.ja0.3.dr String found in binary or memory: https://prod.oht
Source: omni.ja0.3.dr String found in binary or memory: https://profiler.firefox.com
Source: omni.ja0.3.dr String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: omni.ja0.3.dr String found in binary or memory: https://relay.firefox.com/api/v1/
Source: omni.ja0.3.dr String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: omni.ja0.3.dr String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: omni.ja0.3.dr String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: omni.ja0.3.dr String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: omni.ja0.3.dr String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: omni.ja0.3.dr String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: omni.ja0.3.dr String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: omni.ja0.3.dr String found in binary or memory: https://services.addons.mozilla.oN
Source: omni.ja0.3.dr String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: omni.ja0.3.dr String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: omni.ja0.3.dr String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: omni.ja0.3.dr String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: omni.ja0.3.dr String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: omni.ja0.3.dr String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: omni.ja0.3.dr String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: omni.ja0.3.dr String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: omni.ja0.3.dr String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: omni.ja0.3.dr String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: omni.ja0.3.dr String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: omni.ja0.3.dr String found in binary or memory: https://w3c.github.io/mathml-core/#dfn-maction
Source: omni.ja0.3.dr String found in binary or memory: https://w3c.github.io/mathml-core/#the-mathvariant-attribute
Source: omni.ja0.3.dr String found in binary or memory: https://webcompat.com/issues/new
Source: omni.ja0.3.dr String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: omni.ja0.3.dr String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: Au3Check.exe.3.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: qipcap64.dll.3.dr, softokn3.dll.3.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: Au3Check.exe.3.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: omni.ja0.3.dr String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: omni.ja0.3.dr String found in binary or memory: https://www.mozilla.org/
Source: omni.ja0.3.dr String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: omni.ja0.3.dr String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: omni.ja0.3.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: explorer.exe, 00000003.00000003.2370813409.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, instructions_read_me.txt105.3.dr, instructions_read_me.txt148.3.dr, instructions_read_me.txt56.3.dr, instructions_read_me.txt57.3.dr, instructions_read_me.txt133.3.dr, instructions_read_me.txt191.3.dr String found in binary or memory: https://www.torproject.org/
Source: omni.ja0.3.dr String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning

Spam, unwanted Advertisements and Ransom Demands
barindex
Found ransom note / readme
Source: C:\instructions_read_me.txt Dropped file: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 66e18026-1453-4fe2-8621-d51fcc9dc54e*!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us)*!* To restore all your PCs and get your network working again, follow these instructions:- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.Please follow these simple rules to avoid data corruption:- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself.Waiting you in a chat. Jump to dropped file
Yara detected BlackBasta ransomware
Source: Yara match File source: 3.3.explorer.exe.4a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.explorer.exe.4a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.2370813409.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 2940, type: MEMORYSTR
Deletes shadow drive data (may be related to ransomware)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: explorer.exe, 00000003.00000003.2370813409.0000000004A80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: explorer.exe, 00000003.00000003.2370813409.0000000004A80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @xhSYSTEM\CurrentControlSet\Control\Terminal ServerfDenyTSConnections.bhvkngxutC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: cmd.exe, 00000004.00000003.2374737958.0000000002F54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default=::=::\=C:=C:\Users\user\DesktopALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows,Hd
Source: cmd.exe, 00000004.00000002.2381674087.0000000002E10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 00000004.00000002.2381674087.0000000002E10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultpDa=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\A\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersC:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIn\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide:\Program Fi6
Source: cmd.exe, 00000004.00000002.2381691576.0000000002F30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 00000004.00000002.2381691576.0000000002F30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000004.00000002.2381691576.0000000002F30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietq
Source: cmd.exe, 00000004.00000002.2381691576.0000000002F30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet&
Source: cmd.exe, 00000004.00000002.2381691576.0000000002F30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000004.00000002.2382291805.00000000032F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet_USEmu
Source: cmd.exe, 00000004.00000002.2382291805.00000000032F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 00000006.00000002.2381151310.000002ADFB900000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default
Source: vssadmin.exe, 00000006.00000002.2381151310.000002ADFB900000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 00000006.00000002.2381261876.000002ADFBB65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietd
Drops a file containing file decryption instructions (likely related to ransomware)
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\$WinREAgent\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\PerfLogs\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files (x86)\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\ProgramData\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\$WinREAgent\Scratch\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\7-Zip\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\Adobe\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\Common Files\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\Google\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\Internet Explorer\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\Microsoft Office 15\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\Mozilla Firefox\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\MSBuild\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\Reference Assemblies\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\Uninstall Information\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\Windows Defender\instructions_read_me.txt Jump to behavior
May disable shadow drive data (uses vssadmin)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Writes a notice file (html or txt) to demand a ransom
Source: C:\Windows\SysWOW64\explorer.exe File dropped: C:\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File dropped: C:\$WinREAgent\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File dropped: C:\PerfLogs\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File dropped: C:\Program Files\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File dropped: C:\Program Files (x86)\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File dropped: C:\ProgramData\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File dropped: C:\Program Files (x86)\Windows Media Player\en-US\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File dropped: C:\Program Files (x86)\Windows Media Player\Media Renderer\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File dropped: C:\Program Files (x86)\Windows Media Player\Network Sharing\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File dropped: C:\Program Files (x86)\Windows Media Player\Skins\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\explorer.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031C7059 3_3_031C7059
Sample file is different than original file name gathered from version info
Source: goXq0JH6sn.exe, 00000000.00000002.2370517819.00000000006CD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMFC_GDI_PLUS.exeJ vs goXq0JH6sn.exe
Source: goXq0JH6sn.exe Binary or memory string: OriginalFilenameMFC_GDI_PLUS.exeJ vs goXq0JH6sn.exe
Uses 32bit PE files
Source: goXq0JH6sn.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: AppvIsvSubsystems32.dll.3.dr Binary string: for %1% in name mapper. Error: %2%related_name_resolver::initFailed to map NT object name for %1% in name mapper.related_name_resolver::get_name_by_handle\Device\\logfiles\HostDriverStoreWow64 mapper detected process running under wow64.wow64_name_mapper::initWow64DisableWow64FsRedirection\driverstoreWow64RevertWow64FsRedirectionFailed tC
Source: AppVIntegration.dll.3.dr Binary string: ionTopiccommand\DropTargetNoActivateHandlerAppV::Subsystem::UrlProtocolHandler::Publisher::ApplicationUrlProtocolPublisher::PerfomPublishingApplicationUrlProtocolPublisher, publish operation succeeded. Name: %1%\device\admin\appman\appv\subsystems\utils\appid_utils.cppMicrosoft.AppV.Microsoft Base Cryptographic Provider v1.0admin\appman\app
Source: classification engine Classification label: mal100.rans.spre.evad.winEXE@11/904@0/0
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\ofijweiuhuewhcsaxs.mutex
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\fkdjsadasd.ico Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: goXq0JH6sn.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\explorer.exe File read: C:\Program Files\Mozilla Firefox\application.ini Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3.dll.3.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: softokn3.dll.3.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.3.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.3.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %ssig_%s_%08x_%08xupd_%s_%s
Source: softokn3.dll.3.dr Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.3.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.3.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.3.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: softokn3.dll.3.dr Binary or memory string: updateDir=libraryDescription=slotDescription=cryptoSlotDescription=dbSlotDescription=FIPSSlotDescription=tokenDescription=cryptoTokenDescription=updateTokenDescription=dbTokenDescription=FIPSTokenDescription=minPWLen=secmod=manufacturerID=updateID=DROP TABLE IF EXISTS metaData;SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;PRAGMA table_info(%s);PKCS 110000000000000000Mozilla Rules the World through NSS! AND NSS Application Token %08x NSS FIPS 140-2 Certificate DB NSS Internal Crypto Services NSS Generic Crypto Services NSS 3
Source: softokn3.dll.3.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: softokn3.dll.3.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: goXq0JH6sn.exe ReversingLabs: Detection: 50%
Source: goXq0JH6sn.exe Virustotal: Detection: 57%
Source: unknown Process created: C:\Users\user\Desktop\goXq0JH6sn.exe "C:\Users\user\Desktop\goXq0JH6sn.exe"
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: unknown Process created: C:\Windows\System32\ctfmon.exe "ctfmon.exe"
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Section loaded: b.dll Jump to behavior
Source: C:\Windows\System32\vssadmin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\application.ini Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\7-Zip\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Internet Explorer\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\MSBuild\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Uninstall Information\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Mail\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows NT\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Security\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\7-Zip\Lang\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Services\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Internet Explorer\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Internet Explorer\images\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Microsoft\OneDrive\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender\Platform\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows NT\Accessories\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows NT\TableTextService\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Esl\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\VGX\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\ado\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\msadc\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\Ole DB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows NT\Accessories\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows NT\Accessories\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows NT\TableTextService\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Javascripts\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\CMap\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\SaslPrep\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OnlineInteraction\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\ado\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\msadc\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\System\Ole DB\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\swiftshader\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\locales\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\swiftshader\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\Redaction\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ar_AE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\cs_CZ\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\da_DK\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\de_DE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\el_GR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ENU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_AE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_GB\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_IL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\en_US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\es_ES\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fi_FI\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_FR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\fr_MA\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\he_IL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\hu_HU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\it_IT\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ja_JP\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ko_KR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nb_NO\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\nl_NL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pl_PL\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\pt_BR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\ru_RU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sk_SK\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sl_SI\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\sv_SE\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\tr_TR\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\uk_UA\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_CN\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\zh_TW\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\en_US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\AcroForm\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Multimedia\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\prc\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\ENU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\ENU\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\Pfm\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\Unicode\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\Linguistics\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\{AC76BA86-1033-1033-7760-BC15014EA700}\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Extensions\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Locales\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\MEIPreload\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\VisualElements\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\WidevineCdm\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\instructions_read_me.txt Jump to behavior
Source: goXq0JH6sn.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: goXq0JH6sn.exe Static file information: File size 2770944 > 1048576
Source: goXq0JH6sn.exe Static PE information: section name: RT_CURSOR
Source: goXq0JH6sn.exe Static PE information: section name: RT_BITMAP
Source: goXq0JH6sn.exe Static PE information: section name: RT_ICON
Source: goXq0JH6sn.exe Static PE information: section name: RT_MENU
Source: goXq0JH6sn.exe Static PE information: section name: RT_DIALOG
Source: goXq0JH6sn.exe Static PE information: section name: RT_STRING
Source: goXq0JH6sn.exe Static PE information: section name: RT_ACCELERATOR
Source: goXq0JH6sn.exe Static PE information: section name: RT_GROUP_ICON
Source: goXq0JH6sn.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x220600
Source: goXq0JH6sn.exe Static PE information: More than 200 imports for USER32.dll
Source: goXq0JH6sn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: goXq0JH6sn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: goXq0JH6sn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: goXq0JH6sn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: goXq0JH6sn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: goXq0JH6sn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: goXq0JH6sn.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: goXq0JH6sn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSPPREARM.EXE.3.dr
Source: Binary string: pingsender.pdb source: pingsender.exe.3.dr
Source: Binary string: D:\a\_work\1\s\build\external\msix-sdk\bin\msix.pdb source: msix.dll.3.dr
Source: Binary string: mavinject32.pdbGCTL source: MavInject32.exe.3.dr
Source: Binary string: AppVISVSubsystems32.pdb source: AppvIsvSubsystems32.dll.3.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb source: OSPPREARM.EXE.3.dr
Source: Binary string: msvcr120.amd64.pdb source: msvcr120.dll.3.dr
Source: Binary string: AppVISVSubsystems32.pdbGCTL source: AppvIsvSubsystems32.dll.3.dr
Source: Binary string: AppVIntegration.pdbGCTL source: AppVIntegration.dll.3.dr
Source: Binary string: D:\a\_work\1\s\build\external\msix-sdk\bin\msix.pdbTT$GCTL source: msix.dll.3.dr
Source: Binary string: mavinject32.pdb source: MavInject32.exe.3.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.3.dr
Source: Binary string: AppVIntegration.pdb source: AppVIntegration.dll.3.dr
Source: goXq0JH6sn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: goXq0JH6sn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: goXq0JH6sn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: goXq0JH6sn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: goXq0JH6sn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Code function: 0_2_004564CE push eax; ret 0_2_004564D4
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Code function: 0_2_0064477D push ecx; ret 0_2_00644790
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031D1E09 push es; iretd 3_3_031D1E0C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031D1E09 push es; iretd 3_3_031D1E0C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031D1E09 push es; iretd 3_3_031D1E0C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031D1E09 push es; iretd 3_3_031D1E0C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031D1E09 push es; iretd 3_3_031D1E0C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031D1E09 push es; iretd 3_3_031D1E0C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031B7839 push edi; retn 0016h 3_3_031B783A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031B7839 push edi; retn 0016h 3_3_031B783A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031B7839 push edi; retn 0016h 3_3_031B783A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031B7839 push edi; retn 0016h 3_3_031B783A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031B7839 push edi; retn 0016h 3_3_031B783A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031B7839 push edi; retn 0016h 3_3_031B783A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031B5039 push edx; retn 000Bh 3_3_031B503A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031B5039 push edx; retn 000Bh 3_3_031B503A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031B5039 push edx; retn 000Bh 3_3_031B503A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031B5039 push edx; retn 000Bh 3_3_031B503A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031B5039 push edx; retn 000Bh 3_3_031B503A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031B5039 push edx; retn 000Bh 3_3_031B503A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031AC051 pushad ; retn 0007h 3_3_031AC052
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031AC051 pushad ; retn 0007h 3_3_031AC052
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031AC051 pushad ; retn 0007h 3_3_031AC052
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031AC051 pushad ; retn 0007h 3_3_031AC052
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031AC051 pushad ; retn 0007h 3_3_031AC052
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031AC051 pushad ; retn 0007h 3_3_031AC052
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031D3549 push ecx; ret 3_3_031D3554
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031D3549 push ecx; ret 3_3_031D3554
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031D3549 push ecx; ret 3_3_031D3554
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031D3549 push ecx; ret 3_3_031D3554
Source: C:\Windows\SysWOW64\explorer.exe Code function: 3_3_031D3549 push ecx; ret 3_3_031D3554

Persistence and Installation Behavior
barindex
Drops executable to a common third party application directory
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\gkcodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\gkcodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\gkcodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\gkcodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\gkcodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\freebl3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\freebl3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\freebl3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\freebl3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\freebl3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\libEGL.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\libEGL.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\libEGL.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\lgpllibs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\lgpllibs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\lgpllibs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\libEGL.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\libEGL.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\lgpllibs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\lgpllibs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozavcodec.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozavcodec.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozavcodec.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozavcodec.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozavcodec.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozavutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozavutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozavutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozavutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozavutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\notificationserver.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\notificationserver.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\notificationserver.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\notificationserver.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\notificationserver.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\nss3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\nss3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\nss3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\nss3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\nss3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozwer.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozwer.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozwer.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\osclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\osclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\osclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozwer.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\mozwer.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\osclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\osclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\nssckbi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\nssckbi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\nssckbi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\nssckbi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\nssckbi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\qipcap64.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\qipcap64.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\qipcap64.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\softokn3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\qipcap64.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\qipcap64.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\softokn3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\softokn3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\softokn3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\softokn3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\xul.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\xul.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\xul.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\vcruntime140_1.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\vcruntime140_1.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\vcruntime140_1.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\xul.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\xul.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\vcruntime140_1.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Program Files\Mozilla Firefox\vcruntime140_1.dll Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\7-zip.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\vcruntime140_1.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\7z.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\7-zip32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\notificationserver.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\freebl3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\libEGL.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\xul.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\mozwer.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\7zFM.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\nssckbi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\7z.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\lgpllibs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\osclientcerts.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\gkcodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\nss3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\qipcap64.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\7-Zip\7zG.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\mozavutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\softokn3.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe System file written: C:\Program Files\Mozilla Firefox\mozavcodec.dll Jump to behavior

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\SysWOW64\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skype Jump to behavior
Monitors registry run keys for changes
Source: C:\Windows\System32\ctfmon.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skype Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skype Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Potential evasive VBS script found (sleep loop)
Source: C:\Windows\SysWOW64\explorer.exe Dropped file: Do While objScriptExec.Status = 0 WScript.Sleep 100 Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped file: Do While objScriptExec.Status = 0 WScript.Sleep 100 Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped file: Do While objScriptExec.Status = 0 WScript.Sleep 100 Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped file: Do While objScriptExec.Status = 0 WScript.Sleep 100 Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped file: Do While objScriptExec.Status = 0 WScript.Sleep 100 Jump to dropped file
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\explorer.exe Window / User API: threadDelayed 2116 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\explorer.exe TID: 7680 Thread sleep count: 265 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5540 Thread sleep count: 2116 > 30 Jump to behavior
Queries keyboard layouts
Source: C:\Windows\System32\ctfmon.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information queried: ProcessInformation Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2CF0000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Thread created: C:\Windows\SysWOW64\explorer.exe EIP: 2D3525B Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Memory written: PID: 2940 base: 2CF0000 value: EF Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Memory written: PID: 2940 base: 2D9C26E value: 00 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2CF0000 Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D9C26E Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\goXq0JH6sn.exe Code function: 0_2_00645024 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00645024
Source: C:\Windows\SysWOW64\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543069 Sample: goXq0JH6sn.exe Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Found ransom note / readme 2->41 43 4 other signatures 2->43 8 goXq0JH6sn.exe 1 2->8         started        11 ctfmon.exe 2->11         started        13 explorer.exe 5 5 2->13         started        15 explorer.exe 6 2->15         started        process3 signatures4 57 Injects code into the Windows Explorer (explorer.exe) 8->57 59 Writes to foreign memory regions 8->59 61 Allocates memory in foreign processes 8->61 63 Creates a thread in another existing process (thread injection) 8->63 17 explorer.exe 2 836 8->17         started        65 Monitors registry run keys for changes 11->65 process5 file6 29 C:\Program Files\Mozilla Firefox\nss3.dll, DOS 17->29 dropped 31 C:\instructions_read_me.txt, ASCII 17->31 dropped 33 C:\Users\user\Desktop\goXq0JH6sn.exe, data 17->33 dropped 35 69 other files (58 malicious) 17->35 dropped 45 Potential evasive VBS script found (sleep loop) 17->45 47 Found Tor onion address 17->47 49 Drops a file containing file decryption instructions (likely related to ransomware) 17->49 51 5 other signatures 17->51 21 cmd.exe 1 17->21         started        signatures7 process8 signatures9 53 May disable shadow drive data (uses vssadmin) 21->53 55 Deletes shadow drive data (may be related to ransomware) 21->55 24 vssadmin.exe 1 21->24         started        27 conhost.exe 21->27         started        process10 signatures11 67 Deletes shadow drive data (may be related to ransomware) 24->67
No contacted IP infos