Edit tour

Windows Analysis Report
zhbEGHo55P.exe

Overview

General Information

Sample name:	zhbEGHo55P.exe renamed because original name is a hash value
Original sample name:	82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69(1).exe
Analysis ID:	1558517
MD5:	6c755a742f2b2e5c1820f57d0338365f
SHA1:	0b22b6e5269ec241b82450a7e65009685a3010fb
SHA256:	82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69
Tags:	exeuser-JAMESWT_MHT
Infos:

Detection

LockBit ransomware

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected LockBit ransomware

AI detected suspicious sample

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Deletes itself after installation

Found Tor onion address

Found potential ransomware demand text

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Overwrites Mozilla Firefox settings

Tries to harvest and steal browser information (history, passwords, etc)

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Writes to foreign memory regions

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Enables security privileges

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

zhbEGHo55P.exe (PID: 3656 cmdline: "C:\Users\user\Desktop\zhbEGHo55P.exe" MD5: 6C755A742F2B2E5C1820F57D0338365F)

splwow64.exe (PID: 2248 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

3B5A.tmp (PID: 2620 cmdline: "C:\ProgramData\3B5A.tmp" MD5: 294E9F64CB1642DD89229FFF0592856B)

cmd.exe (PID: 6440 cmdline: "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3B5A.tmp >> NUL MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ONENOTE.EXE (PID: 5844 cmdline: /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{D79D5AAD-BC63-41DE-AE42-49492D7025DC}.xps" 133764973860940000 MD5: 0061760D72416BCF5F2D9FA6564F0BEA)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000002.2851715521.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000002.2851715521.0000000000E01000.00000040.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1841d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0xbc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
Process Memory Space: zhbEGHo55P.exe PID: 3656	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.zhbEGHo55P.exe.e00000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0.2.zhbEGHo55P.exe.e00000.0.unpack	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0x2bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: zhbEGHo55P.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion	Avira URL Cloud: Label: malware
Source: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\3B5A.tmp

Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\3B5A.tmp

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: zhbEGHo55P.exe

ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\3B5A.tmp

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: zhbEGHo55P.exe

Joe Sandbox ML: detected

Source: zhbEGHo55P.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Videos\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Searches\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Saved Games\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Recent\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Pictures\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Pictures\Saved Pictures\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Pictures\Camera Roll\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\OneDrive\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Music\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Links\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Favorites\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Favorites\Links\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Downloads\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\TQDFJHPUIU\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\QCOILOQIKC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\NVWZAPQSQL\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\LIJDSFKJZG\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\GLTYDMDUST\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\EOWRVPQCCS\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\EFOYFBOLXA\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\EEGWXUHVUG\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\DUUDTUBZFW\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\TQDFJHPUIU\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\QCOILOQIKC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\NVWZAPQSQL\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\LIJDSFKJZG\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\GLTYDMDUST\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\EOWRVPQCCS\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\EFOYFBOLXA\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\EEGWXUHVUG\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\DUUDTUBZFW\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Contacts\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\to-be-removed\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\security_state\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\minidumps\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\tmp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\db\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\events\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\bookmarkbackups\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\RTTransfer\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Linguistics\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\VideoDecodeStats\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\7f127c30-a3b8-4aab-b28d-01f679ac280d\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\assets\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\VirtualStore\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_5652_1417691134\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_5156_110794397\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\mozilla-temp-files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Low\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_965461321\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_62919943\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_601093063\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_423664317\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_320437163\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_236606693\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_2073859434\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1819848164\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1798580215\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1779658456\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1763153001\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1740856358\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1725894609\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_17058258\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1567651471\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1239538394\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1077836906\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1012409649\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrocef_low\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\SolidDocuments\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\SolidDocuments\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Publishers\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\SettingsContainer\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Licenses\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Fonts\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\PeerDistRepub\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{ac01b07d-c9ac-4d31-8220-3dc6d7aa0576}\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{6f6a6616-c437-4533-b6a1-6b30da29cd38}\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c82d26a9-b16c-48ba-9444-88303f538f65}\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{84c2e19f-ba07-4fa5-bd92-4f6344328293}\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{83e066fd-b384-48a0-aa9a-a84b64b92fcb}\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3c6c2934-0fe6-436b-88a8-a2fbe2de3751}\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior

Source: zhbEGHo55P.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\El4CmMA.EUPTJQjet source: zhbEGHo55P.exe, 00000000.00000003.2378231819.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2385962002.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2382002094.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\EUPTJQjet.README.txt source: zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367563247.0000000000F72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: zhbEGHo55P.exe, 00000000.00000003.2365604223.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2365448759.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ownload.errortt source: zhbEGHo55P.exe, 00000000.00000003.2378231819.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2390480967.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2385693273.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367563247.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2387933180.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2388484993.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2395294951.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2382002094.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2392743496.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2397792630.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2390941477.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\EUPTJQjet.README.txt source: zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorF source: zhbEGHo55P.exe, 00000000.00000003.2379770257.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ad_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: zhbEGHo55P.exe, 00000000.00000003.2379770257.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\EUPTJQjet.README.txt source: zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367563247.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2385962002.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2382963901.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377813086.0000000000F72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\IIdBIRa.EUPTJQjet0 source: zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ice\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\UPTJQjet.README.txt source: zhbEGHo55P.exe, 00000000.00000003.2379770257.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\IIdBIRa.EUPTJQjet` source: zhbEGHo55P.exe, 00000000.00000003.2378231819.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2385962002.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2382002094.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367563247.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\EUPTJQjet.README.txtE source: zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2v source: zhbEGHo55P.exe, 00000000.00000003.2365604223.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2365448759.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\UPTJQjet.README.txtLr source: zhbEGHo55P.exe, 00000000.00000003.2411212107.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2378231819.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2390480967.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2405011103.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2406769539.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2385693273.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2401189534.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367563247.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2387933180.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2388484993.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2395294951.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2382002094.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2404192250.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2399827167.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2392743496.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2397792630.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2403895684.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2408003222.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2390941477.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2402089878.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2403697628.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\$ source: zhbEGHo55P.exe, 00000000.00000003.2379770257.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\$ source: zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: zhbEGHo55P.exe, 00000000.00000003.2379770257.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: zhbEGHo55P.exe, 00000000.00000003.2379770257.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2390901099.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\El4CmMA.EUPTJQjetne source: zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\EUPTJQjet.README.txt source: zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\EUPTJQjet.README.txt_0 source: zhbEGHo55P.exe, 00000000.00000003.2378231819.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2385962002.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2382002094.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\UPTJQjet.README.txt source: zhbEGHo55P.exe, 00000000.00000003.2365604223.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\UPTJQjet.README.txtt source: zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2365604223.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2365448759.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E074BC FindFirstFileExW,FindNextFileW,	0_2_00E074BC
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0A094 FindFirstFileExW,FindClose,	0_2_00E0A094
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E05C24 FindFirstFileW,FindClose,FindNextFileW,FindClose,	0_2_00E05C24
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E07590 FindFirstFileExW,FindClose,	0_2_00E07590
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0766C FindFirstFileExW,GetFileAttributesW,FindNextFileW,	0_2_00E0766C
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0F308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,	0_2_00E0F308
Source: C:\ProgramData\3B5A.tmp	Code function: 7_2_0040227C FindFirstFileExW,	7_2_0040227C
Source: C:\ProgramData\3B5A.tmp	Code function: 7_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,	7_2_0040152C

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Code function: 0_2_00E07468 GetLogicalDriveStringsW,GetDriveTypeW,

0_2_00E07468

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\	Jump to behavior

Networking

Found Tor onion address

Source: zhbEGHo55P.exe, 00000000.00000003.2552760214.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2552760214.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2648226451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2648226451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2297273167.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2297273167.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2422682512.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2422682512.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2504179596.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2504179596.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2296498981.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2296498981.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2476991809.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2476991809.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2650826923.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2650826923.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2450140900.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2450140900.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2290593821.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2290593821.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2440046436.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2440046436.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2606429007.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2606429007.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2639055540.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2639055540.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2454336369.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2454336369.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2587777133.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2587777133.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2314496043.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2314496043.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2503379476.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2503379476.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2515089028.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2515089028.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2285717895.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2285717895.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2514251222.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2514251222.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2279288820.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2279288820.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2433314867.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2433314867.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2581174848.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2581174848.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2454981543.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2454981543.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2405199774.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2405199774.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2323190189.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2323190189.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2529982078.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2529982078.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2534619718.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2534619718.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2301454401.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2301454401.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2594369966.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2594369966.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2490051782.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2490051782.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2301980387.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2301980387.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2593038756.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2593038756.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2424974864.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2424974864.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2543995067.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2543995067.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2527798294.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2527798294.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2460383683.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2460383683.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2514742163.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2514742163.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2465387132.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2465387132.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2643637799.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2643637799.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2303534653.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2303534653.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2439822951.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2439822951.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2602968931.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2602968931.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2658606866.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2658606866.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2497321700.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2497321700.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2563364825.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2563364825.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2405011103.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2405011103.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2443562164.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2443562164.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2532900142.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2532900142.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2407794773.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2407794773.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2575689342.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2575689342.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2445632152.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2445632152.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2672339183.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2672339183.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2505422046.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2505422046.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2465975591.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2465975591.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2530897421.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2530897421.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2351932671.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2517891534.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2517891534.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2582211101.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2582211101.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2700340015.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2700340015.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2624572778.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2624572778.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2605053255.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2605053255.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2444154759.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2444154759.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2615314191.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2615314191.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2558182773.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2558182773.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2315813387.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2315813387.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2624022072.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2624022072.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2550432472.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2550432472.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2298745251.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2298745251.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2329090344.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2329090344.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2425167377.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2425167377.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2672202444.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2672202444.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2363395679.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2363395679.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2388292737.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2388292737.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2315813387.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2315813387.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2533782084.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2533782084.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2638663286.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2638663286.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2501571701.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2501571701.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2292692990.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2292692990.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2656841718.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2656841718.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2412898221.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2412898221.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2306134304.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2306134304.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2289891973.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2289891973.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2311812250.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2311812250.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2598449828.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2598449828.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2557564232.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2557564232.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2527124552.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2527124552.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2462433496.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2462433496.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2411212107.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2411212107.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2326078121.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2326078121.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2598449828.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2598449828.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2421867005.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2421867005.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2431172890.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2431172890.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2453207669.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2453207669.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2663756924.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2663756924.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2629228044.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2629228044.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2492185762.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2492185762.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2435420753.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2435420753.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2406769539.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2406769539.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2326078121.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2326078121.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2378231819.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2378231819.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2642313205.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2642313205.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2299826761.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2299826761.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2488545517.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2488545517.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2448131750.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2448131750.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2603615010.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2603615010.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2638271600.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2638271600.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2550432472.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2550432472.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2536749612.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2536749612.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2577733624.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2577733624.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2395536838.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2395536838.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2524971754.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2524971754.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2613734789.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2613734789.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2610292246.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2610292246.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2324302390.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2324302390.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2567505873.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2567505873.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2664869208.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2664869208.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2590004910.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2590004910.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2578555238.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2578555238.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2481703573.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2481703573.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2647565923.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2647565923.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onional8>
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf>
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionins>
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionL>
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionY>
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionc
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionin
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion$?
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion]1?
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionh?
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionV?
Source: zhbEGHo55P.exe, 00000000.00000003.2571088827.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2571088827.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2622331629.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2622331629.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2633284194.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2633284194.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2516009437.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2516009437.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2675945135.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2675945135.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2444435410.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2444435410.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2585446762.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2585446762.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2508671546.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2508671546.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2449322805.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2449322805.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2585227889.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2585227889.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2327053169.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2327053169.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2287544018.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2287544018.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2433542277.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2433542277.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2279087961.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2279087961.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2310044248.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2310044248.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2606810002.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2606810002.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2629228044.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2629228044.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2437367323.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2437367323.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2506659900.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2506659900.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2544519592.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2544519592.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2529621540.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2529621540.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2592668977.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2592668977.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2602968931.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2602968931.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2338435267.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2338435267.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2489163793.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2489163793.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2322094334.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2322094334.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2451730388.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2451730388.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2520502396.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2520502396.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2392743496.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2392743496.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2616214986.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2616214986.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2309319380.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2309319380.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2634094613.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2634094613.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2608493068.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2608493068.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2402089878.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2402089878.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2647565923.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2647565923.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2289694328.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2289694328.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2351932671.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2351932671.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2622077410.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2622077410.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2438465100.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2438465100.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2434652753.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2434652753.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2571431495.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2571431495.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2559211620.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2559211620.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2419975975.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2419975975.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2542047296.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2542047296.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2671114590.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2671114590.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2282402728.0000000000F26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2593565260.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2593565260.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2607936055.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2607936055.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2327053169.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2327053169.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2484493346.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2484493346.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2343563174.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2343563174.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2596072250.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2596072250.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2524181179.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2524181179.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2451232879.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2451232879.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2543750016.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2543750016.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2465387132.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2465387132.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2633284194.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2633284194.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2387674973.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2387674973.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2415697667.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2415697667.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000002.2852617018.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000002.2852617018.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2545780067.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2545780067.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2538835869.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2538835869.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2306794786.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2306794786.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2570757223.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2570757223.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2447369022.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2447369022.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2437602818.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2437602818.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2582643331.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2582643331.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2436441527.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2436441527.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2591738495.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2591738495.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2444872029.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2444872029.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2541792469.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2541792469.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2615607877.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2615607877.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2618092726.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2618092726.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2493869607.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2493869607.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2594369966.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2594369966.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2303174682.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2303174682.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2317048660.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2317048660.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2385962002.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2385962002.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2397792630.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2397792630.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2485469297.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2485469297.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2297770409.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2297770409.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2553009581.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2553009581.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2472881113.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2472881113.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2499567821.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2499567821.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2666469638.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2666469638.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2445802006.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2445802006.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2495200487.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2495200487.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2429577214.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2429577214.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2595030173.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2595030173.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2474497361.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2474497361.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2338552853.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2338552853.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2285196777.0000000000F36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2285196777.0000000000F36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2414335809.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2414335809.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2587263859.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2587263859.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2577733624.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2577733624.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2316910822.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2316910822.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2630619188.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2630619188.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2578834940.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2578834940.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2403697628.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2403697628.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2513906951.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2513906951.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2483623697.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2483623697.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2440566969.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2440566969.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2382002094.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2382002094.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2661208401.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2661208401.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2508350478.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2508350478.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2599734515.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2599734515.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2416819770.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2416819770.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2533782084.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2533782084.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2422398452.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2422398452.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2289495856.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2289495856.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2322094334.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2322094334.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2315813387.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2315813387.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2575019861.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2575019861.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2528575841.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2528575841.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2290797544.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2290797544.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2673356984.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2673356984.0000000000F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2317838081.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2317838081.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2486064811.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2486064811.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Source: zhbEGHo55P.exe, 00000000.00000003.2552760214.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2648226451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2297273167.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2422682512.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2504179596.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2296498981.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2476991809.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2650826923.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2450140900.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2290593821.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2440046436.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2606429007.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2639055540.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2454336369.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2587777133.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2314496043.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2503379476.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2515089028.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2285717895.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2514251222.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2279288820.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, SPL1013.tmp.0.dr	String found in binary or memory: http://lockbitapt.uz
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: SPL1013.tmp.0.dr	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionY
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onional8
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionc
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion$?
Source: SPL1013.tmp.0.dr	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionL
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionV?
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionins
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: SPL1013.tmp.0.dr	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionh?
Source: zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionin
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupp.uz
Source: SPL1013.tmp.0.dr	String found in binary or memory: http://lockbitsupp.uzFFFFFFFFFFFFFFFFFFFFF
Source: zhbEGHo55P.exe, 00000000.00000003.2552760214.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2648226451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2297273167.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2422682512.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2504179596.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2296498981.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2476991809.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2650826923.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2450140900.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2290593821.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2440046436.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2606429007.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2639055540.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2454336369.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2587777133.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2314496043.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2503379476.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2515089028.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2285717895.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2514251222.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2279288820.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Source: zhbEGHo55P.exe, 00000000.00000003.2476991809.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2650826923.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2450140900.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2290593821.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2440046436.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2606429007.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2639055540.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2454336369.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2587777133.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2314496043.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2503379476.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2515089028.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2285717895.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2514251222.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2279288820.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2433314867.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2581174848.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2454981543.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2405199774.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2323190189.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2529982078.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt

Dropped file: Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay.--- Our communication process:1. You contact us.2. We send you a list of files that were stolen.3. We decrypt 1 file to confirm that our decryptor works.4. We agree on the amount, which must be paid using BTC.5. We delete your files, we give you a decryptor.6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us):Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion>>> Use this ID: 39C1BACACEDFEC0F0089A12EC6A0DFF4 to begin the recovery process.* In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/--- Additional contacts:Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20--- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged.DO NOT RENAME OR MOVE the encrypted and readme files.DO NOT DELETE readme files.--- Important:If you refuse to pay or do not get in touch with us, we start publishing your files.26/04/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog.Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onionSincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101

Jump to dropped file

Yara detected LockBit ransomware

Source: Yara match	File source: 0.2.zhbEGHo55P.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2851715521.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zhbEGHo55P.exe PID: 3656, type: MEMORYSTR

Found potential ransomware demand text

Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedg
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedE
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypteds
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptede
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedl
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedeT
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted^
Source: zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted
Source: zhbEGHo55P.exe, 00000000.00000002.2852617018.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedg
Source: zhbEGHo55P.exe, 00000000.00000002.2852617018.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedE
Source: zhbEGHo55P.exe, 00000000.00000002.2852617018.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypteds
Source: zhbEGHo55P.exe, 00000000.00000002.2852617018.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted
Source: zhbEGHo55P.exe, 00000000.00000002.2852617018.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptede
Source: zhbEGHo55P.exe, 00000000.00000002.2852617018.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedl
Source: zhbEGHo55P.exe, 00000000.00000002.2852617018.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedeT
Source: zhbEGHo55P.exe, 00000000.00000002.2852617018.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted^
Source: SPL1013.tmp.0.dr	String found in binary or memory : Your data are stolen and encryptedFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File moved: C:\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.png	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File moved: C:\Users\user\Desktop\EEGWXUHVUG\NVWZAPQSQL.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File moved: C:\Users\user\Desktop\EOWRVPQCCS.jpg	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File moved: C:\Users\user\Desktop\NVWZAPQSQL.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File moved: C:\Users\user\Desktop\NVWZAPQSQL\EIVQSAOTAQ.png	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt -> decrypt 1 file to confirm that our decryptor works.4. we agree on the amount, which must be paid using btc.5. we delete your files, we give you a decryptor.6. we give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- client area (use this site to contact us):link for tor browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion>>> use this id: 39c1bacacedfec0f0089a12ec6a0dff4 to begin the recovery process.* in order to access the site, you will need tor browser, you can download it from this link: https://www.torproject.org/--- additional contacts:support tox: 1c054b722bcbf41a918ef3c485712742088f5c3e81b2fdd91adea6ba55f4a856d90a65e99d20--- recommendations: do not reset or shutdown - files may be damaged.do not rename or move the encrypted and readme files.do not delete readme files.--- important:if you refuse to pay or do not get in touch with us	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt -> decrypt 1 file to confirm that our decryptor works.4. we agree on the amount, which must be paid using btc.5. we delete your files, we give you a decryptor.6. we give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- client area (use this site to contact us):link for tor browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion>>> use this id: 39c1bacacedfec0f0089a12ec6a0dff4 to begin the recovery process.* in order to access the site, you will need tor browser, you can download it from this link: https://www.torproject.org/--- additional contacts:support tox: 1c054b722bcbf41a918ef3c485712742088f5c3e81b2fdd91adea6ba55f4a856d90a65e99d20--- recommendations: do not reset or shutdown - files may be damaged.do not rename or move the encrypted and readme files.do not delete readme files.--- important:if you refuse to pay or do not get in touch with us	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt -> decrypt 1 file to confirm that our decryptor works.4. we agree on the amount, which must be paid using btc.5. we delete your files, we give you a decryptor.6. we give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- client area (use this site to contact us):link for tor browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion>>> use this id: 39c1bacacedfec0f0089a12ec6a0dff4 to begin the recovery process.* in order to access the site, you will need tor browser, you can download it from this link: https://www.torproject.org/--- additional contacts:support tox: 1c054b722bcbf41a918ef3c485712742088f5c3e81b2fdd91adea6ba55f4a856d90a65e99d20--- recommendations: do not reset or shutdown - files may be damaged.do not rename or move the encrypted and readme files.do not delete readme files.--- important:if you refuse to pay or do not get in touch with us	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt -> decrypt 1 file to confirm that our decryptor works.4. we agree on the amount, which must be paid using btc.5. we delete your files, we give you a decryptor.6. we give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- client area (use this site to contact us):link for tor browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion>>> use this id: 39c1bacacedfec0f0089a12ec6a0dff4 to begin the recovery process.* in order to access the site, you will need tor browser, you can download it from this link: https://www.torproject.org/--- additional contacts:support tox: 1c054b722bcbf41a918ef3c485712742088f5c3e81b2fdd91adea6ba55f4a856d90a65e99d20--- recommendations: do not reset or shutdown - files may be damaged.do not rename or move the encrypted and readme files.do not delete readme files.--- important:if you refuse to pay or do not get in touch with us	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt -> decrypt 1 file to confirm that our decryptor works.4. we agree on the amount, which must be paid using btc.5. we delete your files, we give you a decryptor.6. we give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- client area (use this site to contact us):link for tor browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion>>> use this id: 39c1bacacedfec0f0089a12ec6a0dff4 to begin the recovery process.* in order to access the site, you will need tor browser, you can download it from this link: https://www.torproject.org/--- additional contacts:support tox: 1c054b722bcbf41a918ef3c485712742088f5c3e81b2fdd91adea6ba55f4a856d90a65e99d20--- recommendations: do not reset or shutdown - files may be damaged.do not rename or move the encrypted and readme files.do not delete readme files.--- important:if you refuse to pay or do not get in touch with us	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt -> decrypt 1 file to confirm that our decryptor works.4. we agree on the amount, which must be paid using btc.5. we delete your files, we give you a decryptor.6. we give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- client area (use this site to contact us):link for tor browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion>>> use this id: 39c1bacacedfec0f0089a12ec6a0dff4 to begin the recovery process.* in order to access the site, you will need tor browser, you can download it from this link: https://www.torproject.org/--- additional contacts:support tox: 1c054b722bcbf41a918ef3c485712742088f5c3e81b2fdd91adea6ba55f4a856d90a65e99d20--- recommendations: do not reset or shutdown - files may be damaged.do not rename or move the encrypted and readme files.do not delete readme files.--- important:if you refuse to pay or do not get in touch with us	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt -> decrypt 1 file to confirm that our decryptor works.4. we agree on the amount, which must be paid using btc.5. we delete your files, we give you a decryptor.6. we give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- client area (use this site to contact us):link for tor browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion>>> use this id: 39c1bacacedfec0f0089a12ec6a0dff4 to begin the recovery process.* in order to access the site, you will need tor browser, you can download it from this link: https://www.torproject.org/--- additional contacts:support tox: 1c054b722bcbf41a918ef3c485712742088f5c3e81b2fdd91adea6ba55f4a856d90a65e99d20--- recommendations: do not reset or shutdown - files may be damaged.do not rename or move the encrypted and readme files.do not delete readme files.--- important:if you refuse to pay or do not get in touch with us	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\EUPTJQjet.README.txt -> decrypt 1 file to confirm that our decryptor works.4. we agree on the amount, which must be paid using btc.5. we delete your files, we give you a decryptor.6. we give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- client area (use this site to contact us):link for tor browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion>>> use this id: 39c1bacacedfec0f0089a12ec6a0dff4 to begin the recovery process.* in order to access the site, you will need tor browser, you can download it from this link: https://www.torproject.org/--- additional contacts:support tox: 1c054b722bcbf41a918ef3c485712742088f5c3e81b2fdd91adea6ba55f4a856d90a65e99d20--- recommendations: do not reset or shutdown - files may be damaged.do not rename or move the encrypted and readme files.do not delete readme files.--- important:if you refuse to pay or do not get in touch with us	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.People_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt -> decrypt 1 file to confirm that our decryptor works.4. we agree on the amount, which must be paid using btc.5. we delete your files, we give you a decryptor.6. we give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- client area (use this site to contact us):link for tor browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion>>> use this id: 39c1bacacedfec0f0089a12ec6a0dff4 to begin the recovery process.* in order to access the site, you will need tor browser, you can download it from this link: https://www.torproject.org/--- additional contacts:support tox: 1c054b722bcbf41a918ef3c485712742088f5c3e81b2fdd91adea6ba55f4a856d90a65e99d20--- recommendations: do not reset or shutdown - files may be damaged.do not rename or move the encrypted and readme files.do not delete readme files.--- important:if you refuse to pay or do not get in touch with us	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.People_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt -> decrypt 1 file to confirm that our decryptor works.4. we agree on the amount, which must be paid using btc.5. we delete your files, we give you a decryptor.6. we give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- client area (use this site to contact us):link for tor browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion>>> use this id: 39c1bacacedfec0f0089a12ec6a0dff4 to begin the recovery process.* in order to access the site, you will need tor browser, you can download it from this link: https://www.torproject.org/--- additional contacts:support tox: 1c054b722bcbf41a918ef3c485712742088f5c3e81b2fdd91adea6ba55f4a856d90a65e99d20--- recommendations: do not reset or shutdown - files may be damaged.do not rename or move the encrypted and readme files.do not delete readme files.--- important:if you refuse to pay or do not get in touch with us	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\FlZxH2s.EUPTJQjet entropy: 7.99493182187	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\g9CYSNi.EUPTJQjet entropy: 7.99435299519	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\1OhAzBo.EUPTJQjet entropy: 7.99536598471	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\eNCVpLq.EUPTJQjet entropy: 7.99480033151	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\L1qUIpp.EUPTJQjet entropy: 7.99456541243	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\4DM2Gmv.EUPTJQjet entropy: 7.99557894029	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\dV917sj.EUPTJQjet entropy: 7.99543597253	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\ozHCh9b.EUPTJQjet entropy: 7.99480277496	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\YKT5YBO.EUPTJQjet entropy: 7.99477453532	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\duSe6Cp.EUPTJQjet entropy: 7.99517541472	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\eckcujo.EUPTJQjet entropy: 7.99483836602	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\7I6rPrM.EUPTJQjet entropy: 7.99469431136	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\NVMmR0x.EUPTJQjet entropy: 7.9948865043	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\lC3IX32.EUPTJQjet entropy: 7.99513675136	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\f4rjyfY.EUPTJQjet entropy: 7.99455529852	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\sex6yk8.EUPTJQjet entropy: 7.99506954451	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\mapuGD5.EUPTJQjet entropy: 7.99478814674	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\opyt6rz.EUPTJQjet entropy: 7.99521165787	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\JQvluum.EUPTJQjet entropy: 7.99472914712	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\w7iMD8h.EUPTJQjet entropy: 7.99550606515	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\LE9WQlS.EUPTJQjet entropy: 7.99550154556	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\dlFuARc.EUPTJQjet entropy: 7.99525474739	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\R60A3SY.EUPTJQjet entropy: 7.99506334379	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\XDeAwQK.EUPTJQjet entropy: 7.99431692704	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Y9iPdCS.EUPTJQjet entropy: 7.99470916967	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\lYRIZRn.EUPTJQjet entropy: 7.99424140712	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\3n642bg.EUPTJQjet entropy: 7.994767723	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\3ld25BO.EUPTJQjet entropy: 7.99425523845	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\VDmSOwh.EUPTJQjet entropy: 7.99521488867	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\9YjQYq6.EUPTJQjet entropy: 7.9940229052	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Ncd5nAT.EUPTJQjet entropy: 7.99504361173	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\00Ao58v.EUPTJQjet entropy: 7.99491315756	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\fjWevQE.EUPTJQjet entropy: 7.99499536459	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\l1QouX7.EUPTJQjet entropy: 7.9955512602	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\J9llIZR.EUPTJQjet entropy: 7.99539658098	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\GTw5HPj.EUPTJQjet entropy: 7.9954207629	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\yA2eyTn.EUPTJQjet entropy: 7.99387227088	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\QqBi7zj.EUPTJQjet entropy: 7.99459834059	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\oJfdn4X.EUPTJQjet entropy: 7.99455091871	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\IPAAwnT.EUPTJQjet entropy: 7.99553089613	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\y56issZ.EUPTJQjet entropy: 7.99450395273	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\AOc1zKT.EUPTJQjet entropy: 7.99495655822	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\0iJf6oH.EUPTJQjet entropy: 7.99460151478	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\liAG2zD.EUPTJQjet entropy: 7.99559076152	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\iDY7dWc.EUPTJQjet entropy: 7.99555861764	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\oWqeWwS.EUPTJQjet entropy: 7.99532807703	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\CcPHJEq.EUPTJQjet entropy: 7.99584827584	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\JYDzpUJ.EUPTJQjet entropy: 7.99549884278	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\ic45FFK.EUPTJQjet entropy: 7.99456550813	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\rZjTVQS.EUPTJQjet entropy: 7.99547914808	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Yi6PAyl.EUPTJQjet entropy: 7.99492995221	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\iK9NSTJ.EUPTJQjet entropy: 7.9948645216	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\xLRcjBR.EUPTJQjet entropy: 7.99554807968	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\aMB9eEi.EUPTJQjet entropy: 7.99525486018	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\WZg7yeT.EUPTJQjet entropy: 7.99532237513	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\9Fde9uN.EUPTJQjet entropy: 7.9953690456	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\hz6Voz2.EUPTJQjet entropy: 7.99552115459	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\3FlJDxY.EUPTJQjet entropy: 7.99481339397	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\naPBDt6.EUPTJQjet entropy: 7.9951340448	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\CnbdfpE.EUPTJQjet entropy: 7.99525782099	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\F3FDeZA.EUPTJQjet entropy: 7.99509660037	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\g8r1oNu.EUPTJQjet entropy: 7.99481585497	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\oajDB6n.EUPTJQjet entropy: 7.99597188418	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\MhmrXou.EUPTJQjet entropy: 7.99456559194	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\hUpOPop.EUPTJQjet entropy: 7.99468850646	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\15mukzw.EUPTJQjet entropy: 7.99577988919	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Kxwla7v.EUPTJQjet entropy: 7.99581563184	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\uOzS8gV.EUPTJQjet entropy: 7.99532307595	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\J1sC999.EUPTJQjet entropy: 7.99505733913	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\pBohiXa.EUPTJQjet entropy: 7.99523839094	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\yuzXwmq.EUPTJQjet entropy: 7.99511852782	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Sa89Iww.EUPTJQjet entropy: 7.99514162675	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\aAedI9k.EUPTJQjet entropy: 7.99429278411	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\q4CFJnx.EUPTJQjet entropy: 7.99644184087	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\TGdEds8.EUPTJQjet entropy: 7.99459775843	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\vi4XvhV.EUPTJQjet entropy: 7.99611678345	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\deIuDfB.EUPTJQjet entropy: 7.9943896911	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\EdFJPef.EUPTJQjet entropy: 7.99413192667	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\A85vXOE.EUPTJQjet entropy: 7.99473118952	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\SWSCRek.EUPTJQjet entropy: 7.9958323122	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\D09rMD1.EUPTJQjet entropy: 7.99448329816	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\oxsITlT.EUPTJQjet entropy: 7.99917760356	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\iuDWUtG.EUPTJQjet entropy: 7.99388042093	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\qDzjXWu.EUPTJQjet entropy: 7.9918189947	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\LguFA6y.EUPTJQjet entropy: 7.99724222182	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\3AlcjmV.EUPTJQjet entropy: 7.99839864455	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\swK1I7z.EUPTJQjet entropy: 7.99523675574	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\NhlGfpp.EUPTJQjet entropy: 7.99582591531	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\43wXwns.EUPTJQjet entropy: 7.99522865174	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\bhnllJ0.EUPTJQjet entropy: 7.99534151446	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\FjK7yt2.EUPTJQjet entropy: 7.99452653437	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\KA3bcx2.EUPTJQjet entropy: 7.99577409745	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\dNggjpN.EUPTJQjet entropy: 7.99541982262	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\cYCClYQ.EUPTJQjet entropy: 7.99535432942	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\YnzxR8K.EUPTJQjet entropy: 7.99529946778	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Tdq0kJo.EUPTJQjet entropy: 7.9944732843	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\2yIcAqm.EUPTJQjet entropy: 7.99395045262	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\YKufZth.EUPTJQjet entropy: 7.99965397035	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\tEn9BbN.EUPTJQjet entropy: 7.99457970559	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\FsNYcLU.EUPTJQjet entropy: 7.99475026467	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\AGGa1BH.EUPTJQjet entropy: 7.99500285106	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\ENFCPnq.EUPTJQjet entropy: 7.99557542619	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\VcbaEWc.EUPTJQjet entropy: 7.99419193497	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\cxUtfQb.EUPTJQjet entropy: 7.99459197853	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\HcQ5qVf.EUPTJQjet entropy: 7.9996270829	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\26aF3Sp.EUPTJQjet entropy: 7.99964193222	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\lVUf9iz.EUPTJQjet entropy: 7.99965539896	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\420rzgy.EUPTJQjet entropy: 7.99453952637	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\zenmzHB.EUPTJQjet entropy: 7.9970446428	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\XWguEz9.EUPTJQjet entropy: 7.99908080366	Jump to dropped file
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\xcYbgjA.EUPTJQjet entropy: 7.99921162919	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\zhbEGHo55P.exe entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\AAAAAAAAAAAAAA (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\BBBBBBBBBBBBBB (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\CCCCCCCCCCCCCC (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\DDDDDDDDDDDDDD (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\EEEEEEEEEEEEEE (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\FFFFFFFFFFFFFF (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\GGGGGGGGGGGGGG (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\HHHHHHHHHHHHHH (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\IIIIIIIIIIIIII (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\JJJJJJJJJJJJJJ (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\KKKKKKKKKKKKKK (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\LLLLLLLLLLLLLL (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\MMMMMMMMMMMMMM (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\NNNNNNNNNNNNNN (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\OOOOOOOOOOOOOO (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\PPPPPPPPPPPPPP (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\QQQQQQQQQQQQQQ (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\RRRRRRRRRRRRRR (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\SSSSSSSSSSSSSS (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\TTTTTTTTTTTTTT (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\UUUUUUUUUUUUUU (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\VVVVVVVVVVVVVV (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\WWWWWWWWWWWWWW (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\XXXXXXXXXXXXXX (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\YYYYYYYYYYYYYY (copy) entropy: 7.99703182947	Jump to dropped file
Source: C:\ProgramData\3B5A.tmp	File created: C:\Users\user\Desktop\ZZZZZZZZZZZZZZ (copy) entropy: 7.99703182947	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.zhbEGHo55P.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 00000000.00000002.2851715521.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E104B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,	0_2_00E104B4
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E09880 NtClose,	0_2_00E09880
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0DC60 NtTerminateProcess,	0_2_00E0DC60
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0B470 NtProtectVirtualMemory,	0_2_00E0B470
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0B444 NtSetInformationThread,	0_2_00E0B444
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E17034 KiUserCallbackDispatcher,CreateThread,CreateThread,CreateThread,CreateThread,NtTerminateThread,CreateThread,CreateThread,	0_2_00E17034
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0E1E8 CreateThread,NtClose,	0_2_00E0E1E8
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E06668 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,NtFreeVirtualMemory,DeleteFileW,	0_2_00E06668
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0B674 NtQueryInformationToken,	0_2_00E0B674
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0DE78 SetThreadPriority,ReadFile,WriteFile,WriteFile,NtClose,	0_2_00E0DE78
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E07E58 NtQuerySystemInformation,Sleep,	0_2_00E07E58
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0B3C0 NtSetInformationThread,	0_2_00E0B3C0
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E097D8 NtQuerySystemInformation,	0_2_00E097D8
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E08F68 RtlAdjustPrivilege,NtSetInformationThread,	0_2_00E08F68
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0B734 NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	0_2_00E0B734
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0982A NtQuerySystemInformation,	0_2_00E0982A
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E09811 NtQuerySystemInformation,	0_2_00E09811
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E07EA3 NtQuerySystemInformation,Sleep,	0_2_00E07EA3
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E07E8A NtQuerySystemInformation,Sleep,	0_2_00E07E8A
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E08F66 RtlAdjustPrivilege,NtSetInformationThread,	0_2_00E08F66
Source: C:\ProgramData\3B5A.tmp	Code function: 7_2_00402760 CreateFileW,ReadFile,NtClose,	7_2_00402760
Source: C:\ProgramData\3B5A.tmp	Code function: 7_2_0040286C NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	7_2_0040286C
Source: C:\ProgramData\3B5A.tmp	Code function: 7_2_00402F18 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,	7_2_00402F18
Source: C:\ProgramData\3B5A.tmp	Code function: 7_2_00401DC2 NtProtectVirtualMemory,	7_2_00401DC2
Source: C:\ProgramData\3B5A.tmp	Code function: 7_2_00401D94 NtSetInformationThread,	7_2_00401D94
Source: C:\ProgramData\3B5A.tmp	Code function: 7_2_004016B4 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	7_2_004016B4

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Code function: 0_2_00E0A68C: GetVolumeNameForVolumeMountPointW,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,CreateFileW,DeviceIoControl,

0_2_00E0A68C

Source: C:\Windows\splwow64.exe

File created: C:\Windows\system32\spool\PRINTERS\00002.SPL

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E020AC	0_2_00E020AC
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E080B8	0_2_00E080B8
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E04D03	0_2_00E04D03
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E04D08	0_2_00E04D08
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E05218	0_2_00E05218

Source: Joe Sandbox View

Dropped File: C:\ProgramData\3B5A.tmp 917E115CC403E29B4388E0D175CBFAC3E7E40CA1742299FBDB353847DB2DE7C2

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Process token adjusted: Security

Source: zhbEGHo55P.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.zhbEGHo55P.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 00000000.00000002.2851715521.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18

Source: 3B5A.tmp.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.rans.phis.spyw.evad.winEXE@9/1689@0/0

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

File created: C:\Users\EUPTJQjet.README.txt

Jump to behavior

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\548aa41141e72339cf9daac6d40189a7
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
Source: C:\ProgramData\3B5A.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

File created: C:\Users\user\AppData\Local\Temp\EUPTJQjet.README.txt

Jump to behavior

Source: C:\Windows\splwow64.exe

File read: C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-manifest.ini

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: zhbEGHo55P.exe

ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Users\user\Desktop\zhbEGHo55P.exe "C:\Users\user\Desktop\zhbEGHo55P.exe"
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process created: C:\ProgramData\3B5A.tmp "C:\ProgramData\3B5A.tmp"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{D79D5AAD-BC63-41DE-AE42-49492D7025DC}.xps" 133764973860940000
Source: C:\ProgramData\3B5A.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3B5A.tmp >> NUL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process created: C:\ProgramData\3B5A.tmp "C:\ProgramData\3B5A.tmp"	Jump to behavior
Source: C:\ProgramData\3B5A.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3B5A.tmp >> NUL

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: adsldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\3B5A.tmp	Section loaded: apphelp.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: ncrypt.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: ntasn1.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: windows.storage.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: wldp.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: uxtheme.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: propsys.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: profapi.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: edputil.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: urlmon.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: iertutil.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: srvcli.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: netutils.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: sspicli.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: wintypes.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: appresolver.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: bcp47langs.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: slc.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: userenv.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: sppc.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\3B5A.tmp	Section loaded: onecoreuapcommonproxystub.dll

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

File written: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: zhbEGHo55P.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\El4CmMA.EUPTJQjet source: zhbEGHo55P.exe, 00000000.00000003.2378231819.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2385962002.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2382002094.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\EUPTJQjet.README.txt source: zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367563247.0000000000F72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: zhbEGHo55P.exe, 00000000.00000003.2365604223.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2365448759.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ownload.errortt source: zhbEGHo55P.exe, 00000000.00000003.2378231819.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2390480967.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2385693273.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367563247.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2387933180.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2388484993.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2395294951.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2382002094.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2392743496.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2397792630.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2390941477.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\EUPTJQjet.README.txt source: zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorF source: zhbEGHo55P.exe, 00000000.00000003.2379770257.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ad_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: zhbEGHo55P.exe, 00000000.00000003.2379770257.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\EUPTJQjet.README.txt source: zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367563247.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2385962002.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2382963901.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377813086.0000000000F72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\IIdBIRa.EUPTJQjet0 source: zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ice\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\UPTJQjet.README.txt source: zhbEGHo55P.exe, 00000000.00000003.2379770257.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\IIdBIRa.EUPTJQjet` source: zhbEGHo55P.exe, 00000000.00000003.2378231819.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2385962002.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2382002094.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367563247.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\EUPTJQjet.README.txtE source: zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2v source: zhbEGHo55P.exe, 00000000.00000003.2365604223.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2365448759.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\UPTJQjet.README.txtLr source: zhbEGHo55P.exe, 00000000.00000003.2411212107.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2378231819.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2390480967.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2405011103.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2406769539.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2385693273.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2401189534.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367563247.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2387933180.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2388484993.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2395294951.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2382002094.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2404192250.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2399827167.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2392743496.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2397792630.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2403895684.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2408003222.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2390941477.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2402089878.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2403697628.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\$ source: zhbEGHo55P.exe, 00000000.00000003.2379770257.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\$ source: zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: zhbEGHo55P.exe, 00000000.00000003.2379770257.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: zhbEGHo55P.exe, 00000000.00000003.2379770257.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2390901099.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\El4CmMA.EUPTJQjetne source: zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\EUPTJQjet.README.txt source: zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F45000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\EUPTJQjet.README.txt_0 source: zhbEGHo55P.exe, 00000000.00000003.2378231819.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2385962002.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367898653.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2382002094.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366931152.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2366333505.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\UPTJQjet.README.txt source: zhbEGHo55P.exe, 00000000.00000003.2365604223.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\UPTJQjet.README.txtt source: zhbEGHo55P.exe, 00000000.00000003.2376581899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2365604223.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2374943022.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2373288962.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2371778045.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2367406714.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2365448759.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp

Source: 3B5A.tmp.0.dr	Static PE information: real checksum: 0x8fd0 should be: 0x4f26
Source: zhbEGHo55P.exe	Static PE information: real checksum: 0x0 should be: 0x23eb5

Source: zhbEGHo55P.exe

Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E061EE push esp; retf	0_2_00E061F6
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E035D3 push 0000006Ah; retf	0_2_00E03644
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E035D5 push 0000006Ah; retf	0_2_00E03644
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0356B push 0000006Ah; retf	0_2_00E03644

Source: 3B5A.tmp.0.dr

Static PE information: section name: .text entropy: 7.985216639497568

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

File created: C:\ProgramData\3B5A.tmp

Jump to dropped file

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

File created: C:\ProgramData\3B5A.tmp

Jump to dropped file

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Videos\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Searches\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Saved Games\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Recent\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Pictures\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Pictures\Saved Pictures\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Pictures\Camera Roll\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\OneDrive\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Music\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Links\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Favorites\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Favorites\Links\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Downloads\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\TQDFJHPUIU\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\QCOILOQIKC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\NVWZAPQSQL\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\LIJDSFKJZG\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\GLTYDMDUST\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\EOWRVPQCCS\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\EFOYFBOLXA\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\EEGWXUHVUG\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Documents\DUUDTUBZFW\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\TQDFJHPUIU\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\QCOILOQIKC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\NVWZAPQSQL\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\LIJDSFKJZG\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\GLTYDMDUST\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\EOWRVPQCCS\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\EFOYFBOLXA\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\EEGWXUHVUG\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Desktop\DUUDTUBZFW\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\Contacts\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\to-be-removed\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\security_state\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\minidumps\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\tmp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\db\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\events\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\bookmarkbackups\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\RTTransfer\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Linguistics\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\VideoDecodeStats\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\7f127c30-a3b8-4aab-b28d-01f679ac280d\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\assets\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\VirtualStore\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_5652_1417691134\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_5156_110794397\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\mozilla-temp-files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Low\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_965461321\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_62919943\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_601093063\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_423664317\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_320437163\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_236606693\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_2073859434\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1819848164\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1798580215\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1779658456\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1763153001\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1740856358\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1725894609\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_17058258\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1567651471\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1239538394\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1077836906\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_5464_1012409649\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrocef_low\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\SolidDocuments\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\SolidDocuments\Acrobat\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Publishers\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\SettingsContainer\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Licenses\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Fonts\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\PeerDistRepub\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{ac01b07d-c9ac-4d31-8220-3dc6d7aa0576}\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{6f6a6616-c437-4533-b6a1-6b30da29cd38}\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c82d26a9-b16c-48ba-9444-88303f538f65}\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{84c2e19f-ba07-4fa5-bd92-4f6344328293}\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{83e066fd-b384-48a0-aa9a-a84b64b92fcb}\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3c6c2934-0fe6-436b-88a8-a2fbe2de3751}\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Temp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\TempState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\RoamingState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalState\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalCache\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AppData\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\EUPTJQjet.README.txt	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\ProgramData\3B5A.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3B5A.tmp >> NUL
Source: C:\ProgramData\3B5A.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3B5A.tmp >> NUL

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Code function: 0_2_00E091C8 RegCreateKeyExW,RegEnumKeyW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,RegCreateKeyExW,RegEnumKeyW,OpenEventLogW,ClearEventLogW,

0_2_00E091C8

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\3B5A.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\3B5A.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E010BC		0_2_00E010BC
Source: C:\ProgramData\3B5A.tmp	Code function: 7_2_00401E28		7_2_00401E28

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Code function: 0_2_00E010BC rdtsc

0_2_00E010BC

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E074BC FindFirstFileExW,FindNextFileW,	0_2_00E074BC
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0A094 FindFirstFileExW,FindClose,	0_2_00E0A094
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E05C24 FindFirstFileW,FindClose,FindNextFileW,FindClose,	0_2_00E05C24
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E07590 FindFirstFileExW,FindClose,	0_2_00E07590
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0766C FindFirstFileExW,GetFileAttributesW,FindNextFileW,	0_2_00E0766C
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Code function: 0_2_00E0F308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,	0_2_00E0F308
Source: C:\ProgramData\3B5A.tmp	Code function: 7_2_0040227C FindFirstFileExW,	7_2_0040227C
Source: C:\ProgramData\3B5A.tmp	Code function: 7_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,	7_2_0040152C

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Code function: 0_2_00E07468 GetLogicalDriveStringsW,GetDriveTypeW,

0_2_00E07468

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\	Jump to behavior

Source: zhbEGHo55P.exe, 00000000.00000003.2377554605.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10/05/2023 06:31:11.105EXCEL (0x1EE0)0x24F0Microsoft ExcelTelemetry Eventb7vzqMediumSendEvent {"EventName":"Office.System.SystemHealthMetadataDeviceConsolidated","Flags":33777031581908737,"InternalSequenceNumber":148,"Time":"2023-10-05T06:31:08.304Z","Rule":"120600.4","Contract":"Office.Legacy.Metadata","Data.ProcTypeText":"x64","Data.ProcessorCount":2,"Data.NumProcShareSingleCore":1,"Data.NumProcShareSingleCache":1,"Data.NumProcPhysCores":2,"Data.ProcSpeedMHz":2000,"Data.IsLaptop":false,"Data.IsTablet":false,"Data.RamMB":4096,"Data.PowerPlatformRole":1,"Data.SysVolSizeMB":50000,"Data.DeviceManufacturer":"VMWare, Inc.","Data.DeviceModel":"VMware20,1","Data.DigitizerInfo":0,"Data.SusClientId":"097C77FB-5D5D-4868-860B-09F4E5B50A53","Data.WindowsSqmMachineId":"92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","Data.ComputerSystemProductUuidHash":"pNpni+sgFme2AbL0FaUYvRnb6Aw=","Data.DeviceProcessorModel":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","Data.HasSpectreFix":true,"Data.BootDiskType":"SSD"}
Source: 3B5A.tmp, 00000007.00000002.2864147217.00000000006F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: zhbEGHo55P.exe, 00000000.00000003.2362670816.000000000103A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: zhbEGHo55P.exe, 00000000.00000003.2460795343.000000000104D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hyper-v:wux:hyper-v~
Source: zhbEGHo55P.exe, 00000000.00000003.2316910822.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )VMCI
Source: zhbEGHo55P.exe, 00000000.00000003.2362670816.000000000103A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: zhbEGHo55P.exe, 00000000.00000003.2700340015.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Process information queried: ProcessInformation

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\3B5A.tmp	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Code function: 0_2_00E010BC rdtsc

0_2_00E010BC

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Code function: 0_2_00E05A20 LdrLoadDll,

0_2_00E05A20

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Memory written: C:\ProgramData\3B5A.tmp base: 401000

Jump to behavior

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	Process created: C:\ProgramData\3B5A.tmp "C:\ProgramData\3B5A.tmp"			Jump to behavior
Source: C:\ProgramData\3B5A.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3B5A.tmp >> NUL

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Code function: 0_2_00E010BC cpuid

0_2_00E010BC

Source: C:\ProgramData\3B5A.tmp

Code function: EntryPoint,ExitProcess,GetModuleHandleW,GetCommandLineW,GetModuleHandleA,GetCommandLineW,GetLocaleInfoW,GetLastError,FreeLibrary,FreeLibrary,GetProcAddress,CreateWindowExW,DefWindowProcW,GetWindowTextW,LoadMenuW,LoadMenuW,DefWindowProcW,SetTextColor,GetTextCharset,TextOutW,SetTextColor,GetTextColor,CreateFontW,GetTextColor,CreateDIBitmap,SelectObject,GetTextColor,CreateFontW,

7_2_00403983

Source: C:\Users\user\Desktop\zhbEGHo55P.exe

Code function: 0_2_00E104B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,

0_2_00E104B4

Lowering of HIPS / PFW / Operating System Security Settings

Overwrites Mozilla Firefox settings

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\to-be-removed\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\security_state\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\minidumps\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\tmp\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\db\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\events\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\bookmarkbackups\EUPTJQjet.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\EUPTJQjet.README.txt	Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\MiFnF08.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\EdFJPef.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\UBCSJLM.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\DBJmnXf.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\D09rMD1.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\times.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\p2WXVQS.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\q4CFJnx.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\luRokCw.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\9JGPaqf.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\86928e7f-6ba2-4b62-8ea8-d89cfd7a97ca	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\rj8XS8Z.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\b6281059-34c6-49d8-97c7-24de33b104ab	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\vvKFAuA.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\d3698c60-da91-4f8c-b7c7-e14b40be8bb1	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\dd74a7e7-e73b-4ab9-8964-ca5c53c60966	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\kerr3sJ.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\aRnHayn.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\uolnHb0.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\compatibility.ini	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\Tr8rSwO.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\1696486838393.b7b7301e-d32e-49f7-b138-9fd21cf2ca6b.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\lI20xa0.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\session-state.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\NRMiOdc.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\2uMdmmu.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\4db4139f-6dcf-40ae-89c1-1ca4ca5a35ed	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\AmjwmFo.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\state.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\mmfPvYM.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\sowfzvb.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events\background-update	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\8940dc38-b85f-4355-b090-8e4e300a9627	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\TGdEds8.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\UQVedfQ.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\iWtdOen.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\nZXNn6b.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\GveHEKL.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\hSbNHKN.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\fXLp9ua.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\zsqE47l.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\8czvcgD.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\previous.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\.metadata-v2	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\1696486832124.b6dd686f-a071-4a96-9ec4-4a8ffdac9d0c.first-shutdown.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\FDPlrx8.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\Lz2qrQQ.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\vJ8tVKk.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\eeQh4ms.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\YaAeQn2.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\b38522d7-1787-4855-a312-c27916e30610	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\Ld8u5RW.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\r5WydfZ.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\wXFvPT6.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\QLSulgW.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\b6dd686f-a071-4a96-9ec4-4a8ffdac9d0c	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\b3e287d1-bcec-4242-9158-4e1296363490	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\OaopJx7.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\wA65Aca.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\b7b7301e-d32e-49f7-b138-9fd21cf2ca6b	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\ysvHg4N.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\vi4XvhV.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events\1rF6mO8.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\K5rKki1.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\q8i0wrk.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\aAedI9k.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\bftdmlQ.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\TvRLfZL.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\J92ULzt.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\KkkuZjJ.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\1696486838415.86928e7f-6ba2-4b62-8ea8-d89cfd7a97ca.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\fwjMEU2.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\hJx4orC.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\5HwZ1in.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events\events	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\xulstore.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\3ODH4vT.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\8gpd86p.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\7e03a685-c52e-4810-b494-0f433b33ac49	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\qwPRWvb.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\5Ss6Pa7.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\EaKl6Gv.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\OC0kYuc.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\iJS4opz.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\1696486832120.4cb4db2a-ee68-4128-8ff4-f04bdc710c24.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\fzVBbK8.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events\xr6C18v.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\pWhDM8j.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\STEwJN6.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\deIuDfB.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\c96bazW.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\75265401-2d75-4127-a70f-7d6e61df69a0	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\times.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\0eeJis8.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\eQIOIGi.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\4cb4db2a-ee68-4128-8ff4-f04bdc710c24	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\1696486832123.3eb2db8e-f770-4c52-9d7b-27180bea4925.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\KW8ZwkH.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\1696486832118.b6281059-34c6-49d8-97c7-24de33b104ab.new-profile.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\x3atRlX.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\1696486838410.75265401-2d75-4127-a70f-7d6e61df69a0.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\0KGYUE1.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\containers.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\3eb2db8e-f770-4c52-9d7b-27180bea4925	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\SWSCRek.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\A85vXOE.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\6IrB2Ca.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\SxpehVo.EUPTJQjet	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\1696486838409.7e03a685-c52e-4810-b494-0f433b33ac49.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\zhbEGHo55P.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	112 Process Injection	11 Masquerading	1 OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	1 Proxy	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	112 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Obfuscated Files or Information	NTDS	5 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Software Packing	LSA Secrets	122 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Indicator Removal	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
zhbEGHo55P.exe	95%	ReversingLabs	Win32.Ransomware.Lockbit
zhbEGHo55P.exe	100%	Avira	BDS/ZeroAccess.Gen7
zhbEGHo55P.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\3B5A.tmp	100%	Avira	TR/Crypt.ZPACK.Gen
C:\ProgramData\3B5A.tmp	100%	Joe Sandbox ML
C:\ProgramData\3B5A.tmp	87%	ReversingLabs	Win32.Trojan.Malgent

Source	Detection	Scanner	Label
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion$?	0%	Avira URL Cloud	safe
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionL	0%	Avira URL Cloud	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionh?	0%	Avira URL Cloud	safe
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf	0%	Avira URL Cloud	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion	0%	Avira URL Cloud	safe
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionY	0%	Avira URL Cloud	safe
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF	0%	Avira URL Cloud	safe
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onional8	0%	Avira URL Cloud	safe
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion	100%	Avira URL Cloud	malware
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF	0%	Avira URL Cloud	safe
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionc	0%	Avira URL Cloud	safe
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionins	0%	Avira URL Cloud	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF	0%	Avira URL Cloud	safe
http://lockbitsupp.uzFFFFFFFFFFFFFFFFFFFFF	0%	Avira URL Cloud	safe
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion	100%	Avira URL Cloud	malware
http://lockbitapt.uz	0%	Avira URL Cloud	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionin	0%	Avira URL Cloud	safe
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl	0%	Avira URL Cloud	safe
http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion	0%	Avira URL Cloud	safe
http://lockbitsupp.uz	0%	Avira URL Cloud	safe
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionV?	0%	Avira URL Cloud	safe
http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0015.t-0009.t-msedge.net	13.107.246.43	true	false		high
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.20	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionL	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion$?	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onional8	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionh?	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionf	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionY	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF	SPL1013.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion	zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF	SPL1013.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionc	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupp.uzFFFFFFFFFFFFFFFFFFFFF	SPL1013.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://www.torproject.org/	zhbEGHo55P.exe, 00000000.00000003.2476991809.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2650826923.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2450140900.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2290593821.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2440046436.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2606429007.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2639055540.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2454336369.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2587777133.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2314496043.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2503379476.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2515089028.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2285717895.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2514251222.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2279288820.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2433314867.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2581174848.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2454981543.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2405199774.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2323190189.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2529982078.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionin	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion	zhbEGHo55P.exe, 00000000.00000003.2552760214.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2648226451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2297273167.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2422682512.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2504179596.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2296498981.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2476991809.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2650826923.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2450140900.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2290593821.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2440046436.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2606429007.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2639055540.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2454336369.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2587777133.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2314496043.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2503379476.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2515089028.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2285717895.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2514251222.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2279288820.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion	zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionins	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF	SPL1013.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lockbitapt.uz	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, SPL1013.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupp.uz	zhbEGHo55P.exe, 00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion	zhbEGHo55P.exe, 00000000.00000003.2552760214.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2648226451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2297273167.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2422682512.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2504179596.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2296498981.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2476991809.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2650826923.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2450140900.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2290593821.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2440046436.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2606429007.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2639055540.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2454336369.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2587777133.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2314496043.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2503379476.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2515089028.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2285717895.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2514251222.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, zhbEGHo55P.exe, 00000000.00000003.2279288820.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionV?	zhbEGHo55P.exe, 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558517
Start date and time:	2024-11-19 14:41:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zhbEGHo55P.exe renamed because original name is a hash value
Original Sample Name:	82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69(1).exe
Detection:	MAL
Classification:	mal100.rans.phis.spyw.evad.winEXE@9/1689@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 83 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, RuntimeBroker.exe, WMIADAP.exe, printfilterpipelinesvc.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.89.18, 184.28.90.27, 52.109.28.47, 52.113.194.132, 52.182.143.208
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, weu-azsc-config.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, onedscolprdcus04.centralus.cloudapp.azure.com, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, s-0005-office.config.skype.com, uks-azsc-000.roaming.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: zhbEGHo55P.exe

Simulations

Behavior and APIs

Time	Type	Description
08:42:55	API Interceptor	5x Sleep call for process: zhbEGHo55P.exe modified
08:43:05	API Interceptor	107x Sleep call for process: splwow64.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	New.Order Request-#54576.scr	Get hash	malicious	Unknown	Browse	212.229.88.13
	file.exe	Get hash	malicious	Credential Flusher	Browse	217.20.57.20
	Airtame-4.11.0-setup.msi	Get hash	malicious	Unknown	Browse	217.20.57.35
	Fluor RFQ1475#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	217.20.57.19
	DRP130636747.pdf	Get hash	malicious	Unknown	Browse	217.20.57.42
	87654785457596574686FKHN-Copy.pdf	Get hash	malicious	Phisher	Browse	217.20.57.35
	Annual_Benefits_&_Bonus_for_Lorne.zuck#IyNURVhUTlVNUkFORE9NNDUjIw==.docx	Get hash	malicious	Unknown	Browse	84.201.210.39
	purchase order (2).xls	Get hash	malicious	Unknown	Browse	217.20.57.19
	new.bat	Get hash	malicious	Unknown	Browse	84.201.212.67
	https://url.us.m.mimecastprotect.com/s/7XsKCQWmqkh6El9PsPhEHGZMGK?domain=hbgone.docdroid.com	Get hash	malicious	Unknown	Browse	217.20.57.22
s-part-0015.t-0009.t-msedge.net	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.43
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.43
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.43
	VNC Sales.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.43
	https://midlandtxconstruction.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPU5VVmliM0U9JnVpZD1VU0VSMTcxMDIwMjRVMDAxMDE3NDA=N0123N	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.43
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.43
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.43
	https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/graylinelaketahoe.com&c=E,1,BWhR2At2OZAdw2Kzdn7d-U-fLZRdgzpdTFbcA87JOQxek-SzsLBqKBG-KMVpA5JovWFRbO4mN3q2zPe1YDaTOG57b4G9v05-IgsJXqrG4om_58_65Os9ldlZ&typo=1	Get hash	malicious	Unknown	Browse	13.107.246.43
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUM1RXUzBHU1RDUjlQOFBPUUE4QVRaS0pPSC4u	Get hash	malicious	HTMLPhisher	Browse	13.107.246.43
	EFT Remittance_(Rburt)CQDM.html	Get hash	malicious	Mamba2FA	Browse	13.107.246.43

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\3B5A.tmp	LB3.exe	Get hash	malicious	LockBit ransomware	Browse
	LBB.exe	Get hash	malicious	LockBit ransomware	Browse
	ggjLV4w8Ya.exe	Get hash	malicious	LockBit ransomware	Browse
	yEB1xvr2rZ.exe	Get hash	malicious	LockBit ransomware	Browse
	71p2xmx6rP.exe	Get hash	malicious	LockBit ransomware	Browse
	98ST13Qdiy.exe	Get hash	malicious	LockBit ransomware	Browse
	c8JakemodH.exe	Get hash	malicious	LockBit ransomware	Browse
	Document.doc.scr.exe	Get hash	malicious	LockBit ransomware, TrojanRansom	Browse
	Rcqcps3y45.exe	Get hash	malicious	LockBit ransomware	Browse
	LBB.exe	Get hash	malicious	LockBit ransomware	Browse

Process:	C:\Users\user\Desktop\zhbEGHo55P.exe
File Type:	data
Category:	dropped
Size (bytes):	129
Entropy (8bit):	6.501347894874276
Encrypted:	false
SSDEEP:	3:2aLpGCw/lFRtyi0sta6zuHC1bWVvQ6U5yv0WSBjfIXg8Wb:2ApGpFXV0snCHC1IQ6Rv0Wkjsm
MD5:	F93D9A1D1CCC18A25169C3175F42F815
SHA1:	EB4C271DFDE9ACD4115D87994719F6C05960E432
SHA-256:	C4895455050915330CD9CCBC262E96BAB1EDBBE8AA41DB47DEE268BCDFAB44D4
SHA-512:	DC45EAD1BB2021EF09495990DF0EFD04F170A047D3F1F646FD143C85175453EED39143BC09684A9064D70BCE12B3025D9F34769585C1C3BDEC9CB8B9C0E68F03
Malicious:	false
Reputation:	low
Preview:	...nI.."n...g..@.f...8..C.....^j.H+.._.K.HU.=#!..sp\|\|J.&..q.........A......M...Aq...w..,.y."..=.Z-.W}.f.).....m.Jc..~

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09216609452072291
Encrypted:	false
SSDEEP:	3:lSWFN3l/klslpF/4llfll:l9F8E0/
MD5:	F138A66469C10D5761C6CBB36F2163C3
SHA1:	EEA136206474280549586923B7A4A3C6D5DB1E25
SHA-256:	C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
SHA-512:	9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
Malicious:	false
Preview:	SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\splwow64.exe
File Type:	Microsoft OOXML
Category:	dropped
Size (bytes):	13757490
Entropy (8bit):	7.891417365960129
Encrypted:	false
SSDEEP:	196608:tZyDsFjVMKMLaqAl/gDgbw/LcbcaLgBVwhu:teGwD
MD5:	69B37A614B91961F68EF87E85E22FFBF
SHA1:	20D8F9AA46B932432C656274635C2AD3392D8B73
SHA-256:	B6D18CB624E76CE4E243D3CEE7312EAE8A14F084B2FB9258E28A90A83AA239A5
SHA-512:	2E781AEC0E372AF932161D064BB4C93F5C68B603785D3285F88BBF1CA6B784B9A7E67BD5742EEE8C84747A2B6B999FC398D005C0C4332E377C063112804C32A6
Malicious:	false
Preview:	PK........#FsY................[Content_Types].xml/[0].piece.....0..W..o.x .....e.(....Ql!..<...S^.MMw....#Nr.9....p..:..J.z..`3..DM....T.n..J..-c...3....&a#......PK....X.j...q...PK........cFsY................[Content_Types].xml/[1].piece..1..0....eE$....{e.C.&..X.........H\., .....o.T..i.."...K.s..4..VW...i+.Ak.....}....\.+..O?PK..K..jb...l...PK........cFsY................_rels/.rels/[0].pieceM.A..!.E.B.w...1.....9@...C!...?,].......f..4.qp.,.._^I...y?\`.....Cc.jF". .^...#g.T.A.e.c.........3.....PK...BpJl...y...PK........cFsY................_rels/.rels/[1].piece..K..0....9@&.....nk/.....O3S...s....L/'.UN...'.......P....UO:....=X......B..gD...c]...[..[..3..9.9a.... .....N.PK..4...u.......PK........cFsY................[Content_Types].xml/[2].piece-.A.. .F....p.u.q.&....!...m..[.n_^..kA.......>\|.......f....`........}..F..(v.6.t...0-.n.C\|@.N-.Z...PK....[Pm...{...PK........cFsY............%...FixedDocumentSequence.fdseq/[0].pieceU.M..0.F..fo&.....H.`..2.....H.o..p

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	4.095795255000933
Encrypted:	false
SSDEEP:	3:otlAloyn:ot+
MD5:	1D0C2E40B5B94E0FB64D661FC74134E2
SHA1:	FD402FE96EAF445A21D689EE989C042423B8A6A4
SHA-256:	828B769F5E3A3EF35B32A9E7095F8B5E0326C899093063F577ABB81E0E27CDB6
SHA-512:	77F6ADEDB143ED3B32FA1B2DEC1DBFD041784F5094D2BE625CBDCB3170FBD76AFFD9D285FEC73C92BE33E37EC1C0F330942B2942B1F39A0DBD3644B9310F0194
Malicious:	false
Preview:	C:\PROGRA~3\3B5A.tmp..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.845553325757237
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% UPX compressed Win32 Executable (30571/9) 0.30% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zhbEGHo55P.exe
File size:	92'160 bytes
MD5:	6c755a742f2b2e5c1820f57d0338365f
SHA1:	0b22b6e5269ec241b82450a7e65009685a3010fb
SHA256:	82b336cd120ef07d8df5a3e3fa082bcca8b5c0a3481fae78cb5dd29072979f69
SHA512:	580fec443cb3236201750e643078b98e3d9f46cad3cc890b74371119f0ec33a0c5ba526e6135cc1ddcb90d867c214e37c700af55309c7725ed44e100173630ed
SSDEEP:	1536:yvXFnGvewvD/F3nICjRM5CEL92vR2zh9ckMBsA1RXZN1Mevt5:Ow3FE79UUzh9mBjBZNe
TLSH:	329302DD74A97253E7C625BC8F9DED722BE04CE58CEA18978C55C631A0B4AF08C08963
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..c.................p....... ..0....0........@.......................................@...........@....................

Entrypoint:	0x429130
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x631A9665 [Fri Sep 9 01:27:01 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	735a109d616d3347fcbd3bfda19abc79

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a000	0xe8	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a0e8	0xc	UPX2
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x12000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x13000	0x17000	0x16400	ae1d7a16f02179b3c2e0886c2c9544ef	False	0.9693425210674157	data	7.857377972653934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX2	0x2a000	0x1000	0x200	606cb6b8b3a25253e435727d873c26c8	False	0.31640625	data	2.1963755113672714	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

DLL	Import
gdi32.dll	SetPixel
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
USER32.dll	EndDialog

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 14:42:12.956392050 CET	1.1.1.1	192.168.2.6	0xd3c7	No error (0)	shed.dual-low.s-part-0015.t-0009.t-msedge.net	s-part-0015.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 14:42:12.956392050 CET	1.1.1.1	192.168.2.6	0xd3c7	No error (0)	s-part-0015.t-0009.t-msedge.net		13.107.246.43	A (IP address)	IN (0x0001)	false
Nov 19, 2024 14:44:02.279485941 CET	1.1.1.1	192.168.2.6	0xcf79	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 14:44:02.279485941 CET	1.1.1.1	192.168.2.6	0xcf79	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.20	A (IP address)	IN (0x0001)	false
Nov 19, 2024 14:44:02.279485941 CET	1.1.1.1	192.168.2.6	0xcf79	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.36	A (IP address)	IN (0x0001)	false
Nov 19, 2024 14:44:02.279485941 CET	1.1.1.1	192.168.2.6	0xcf79	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.19	A (IP address)	IN (0x0001)	false
Nov 19, 2024 14:44:02.279485941 CET	1.1.1.1	192.168.2.6	0xcf79	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.35	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:42:19
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\zhbEGHo55P.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zhbEGHo55P.exe"
Imagebase:	0xe00000
File size:	92'160 bytes
MD5 hash:	6C755A742F2B2E5C1820F57D0338365F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000003.2850291863.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000002.2852246091.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000002.2851715521.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000000.00000002.2851715521.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	08:43:17
Start date:	19/11/2024
Path:	C:\ProgramData\3B5A.tmp
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\3B5A.tmp"
Imagebase:	0x400000
File size:	14'336 bytes
MD5 hash:	294E9F64CB1642DD89229FFF0592856B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	moderate
Has exited:	true

Target ID:	9
Start time:	08:43:18
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3B5A.tmp >> NUL
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	19.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.9%
Total number of Nodes:	1940
Total number of Limit Nodes:	121

Execution Coverage:	32.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	160
Total number of Limit Nodes:	1

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zhbEGHo55P.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\AAAAAAAAAAA (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\BBBBBBBBBBB (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\CCCCCCCCCCC (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\DDDDDDDDDDD (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\EEEEEEEEEEE (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\FFFFFFFFFFF (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\GGGGGGGGGGG (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\HHHHHHHHHHH (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\IIIIIIIIIII (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\JJJJJJJJJJJ (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\KKKKKKKKKKK (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\LLLLLLLLLLL (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\MMMMMMMMMMM (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\NNNNNNNNNNN (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\OOOOOOOOOOO (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\PPPPPPPPPPP (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\QQQQQQQQQQQ (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\RRRRRRRRRRR (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\SSSSSSSSSSS (copy)

Windows Analysis Report
zhbEGHo55P.exe

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre