Windows Analysis Report
RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Overview

General Information

Sample name: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Analysis ID: 1538180
MD5: e2ab6ff49774a8d73f56e95ea4b5fde9
SHA1: 2e4744a2bf1dd07ebb2b585afbc2d02227bf8ee7
SHA256: 829026e0d6a6f73f3328bb4aabd5f0e3f063f000cd9d860c051b307e148395d5
Tags: exeuser-threatcat_ch
Infos:

Detection

PureLog Stealer, RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to detect sleep reduction / modifications
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries random domain names (often used to prevent blacklisting and sinkholes)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to many different domains
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Avira: detection malicious, Label: W32/Infector.Gen
Found malware configuration
Source: 5.2.Native_Redline_BTC.exe.12744d08.2.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["212.162.149.53:2049"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Multi AV Scanner detection for submitted file
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: microsofts.exe, 00000004.00000003.2465813409.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: svchost.exe, 00000003.00000003.1756263146.0000000005F80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: microsofts.exe, 00000004.00000003.2535618348.0000000000950000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2550990774.00000000006A0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2537430293.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msiexec.pdb source: microsofts.exe, 00000004.00000003.1874170797.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: microsofts.exe, 00000004.00000003.2132562567.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ssh-agent.pdb source: microsofts.exe, 00000004.00000003.1970375777.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: microsofts.exe, 00000004.00000003.2273795210.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: microsofts.exe, 00000004.00000003.2273795210.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdb source: microsofts.exe, 00000004.00000003.2291929777.00000000050F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msiexec.pdbGCTL source: microsofts.exe, 00000004.00000003.1874170797.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdb source: microsofts.exe, 00000004.00000003.1804702761.0000000006F10000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdbGCTL source: microsofts.exe, 00000004.00000003.2609486912.0000000000960000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2600977787.0000000002200000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerceptionSimulationService.pdb source: microsofts.exe, 00000004.00000003.1889865895.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: _.pdb source: microsofts.exe, 00000004.00000003.1766272892.00000000007DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720096215.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720413615.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1753388462.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1752883994.0000000003D90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: microsofts.exe, 00000004.00000003.2238300524.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MsSense.pdbGCTL source: microsofts.exe, 00000004.00000003.1920494717.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MsSense.pdb source: microsofts.exe, 00000004.00000003.1920494717.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: microsofts.exe, 00000004.00000003.2581195964.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: microsofts.exe, 00000004.00000003.2476925381.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2486068862.00000000006A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WmiApSrv.pdbGCTL source: microsofts.exe, 00000004.00000003.2033704180.0000000006F00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: microsofts.exe, 00000004.00000003.2327436015.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb((( source: microsofts.exe, 00000004.00000003.2145606986.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: locator.pdb source: microsofts.exe, 00000004.00000003.1905105470.0000000006350000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1916280568.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: microsofts.exe, 00000004.00000003.1781654069.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdbCC9 source: microsofts.exe, 00000004.00000003.2291929777.00000000050F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: microsofts.exe, 00000004.00000003.2160142742.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb source: microsofts.exe, 00000004.00000003.2145606986.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: microsofts.exe, 00000004.00000003.2535618348.0000000000950000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2550990774.00000000006A0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2537430293.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: microsofts.exe, 00000004.00000003.2238300524.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: microsofts.exe, 00000004.00000003.2355859647.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: microsofts.exe, 00000004.00000003.2132562567.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdb source: microsofts.exe, 00000004.00000003.2609486912.0000000000960000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2600977787.0000000002200000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb source: microsofts.exe, 00000004.00000003.1854476964.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: snmptrap.pdbGCTL source: microsofts.exe, 00000004.00000003.1940610089.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msdtcexe.pdbGCTL source: microsofts.exe, 00000004.00000003.1859196474.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerceptionSimulationService.pdbGCTL source: microsofts.exe, 00000004.00000003.1889865895.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 64BitMAPIBroker.pdb source: microsofts.exe, 00000004.00000003.2439350097.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerfHost.pdbGCTL source: microsofts.exe, 00000004.00000003.1896655329.0000000006340000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1902674598.0000000005050000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1897809499.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: microsofts.exe, 00000004.00000003.2581195964.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: microsofts.exe, 00000004.00000003.2414424613.00000000008E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: microsofts.exe, 00000004.00000003.2327436015.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerfHost.pdb source: microsofts.exe, 00000004.00000003.1896655329.0000000006340000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1902674598.0000000005050000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1897809499.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: microsofts.exe, 00000004.00000003.2420910878.00000000008E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: microsofts.exe, 00000004.00000003.2465813409.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: microsofts.exe, 00000004.00000003.2355859647.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb` source: microsofts.exe, 00000004.00000003.1854476964.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: microsofts.exe, 00000004.00000003.2476925381.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2486068862.00000000006A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720096215.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720413615.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1753388462.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1752883994.0000000003D90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WmiApSrv.pdb source: microsofts.exe, 00000004.00000003.2033704180.0000000006F00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TieringEngineService.pdb source: microsofts.exe, 00000004.00000003.1980310877.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TieringEngineService.pdbGCTL source: microsofts.exe, 00000004.00000003.1980310877.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: microsofts.exe, 00000004.00000003.2363749332.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdb source: microsofts.exe, 00000004.00000003.1766237277.0000000005070000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msdtcexe.pdb source: microsofts.exe, 00000004.00000003.1859196474.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: microsofts.exe, 00000004.00000003.1781654069.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdbGCTL source: microsofts.exe, 00000004.00000003.1766237277.0000000005070000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: microsofts.exe, 00000004.00000003.1804702761.0000000006F10000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: locator.pdbGCTL source: microsofts.exe, 00000004.00000003.1905105470.0000000006350000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1916280568.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: microsofts.exe, 00000004.00000003.2160142742.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ssh-agent.pdbX source: microsofts.exe, 00000004.00000003.1970375777.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: snmptrap.pdb source: microsofts.exe, 00000004.00000003.1940610089.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: microsofts.exe, 00000004.00000003.2420910878.00000000008E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: microsofts.exe, 00000004.00000003.2363749332.00000000008D0000.00000004.00001000.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\wbem\WmiApSrv.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\vds.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\alg.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\7zFM.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\snmptrap.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\Spectrum.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\Locator.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\7z.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\AppVClient.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\SysWOW64\perfhost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\7zG.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\msiexec.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\VSSVC.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\wbengine.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\SearchIndexer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\TieringEngineService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\AgentService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\FXSSVC.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\SensorDataService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\msdtc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 2_2_00452126
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 2_2_0045C999
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 2_2_00436ADE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00434BEE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 2_2_00436D2D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00442E1F
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0045DD7C FindFirstFileW,FindClose, 2_2_0045DD7C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 2_2_0044BD29
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 2_2_00475FE5
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 2_2_0044BF8D
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 4x nop then jmp 068E62FBh 11_2_068E60C8
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 4x nop then jmp 068E6CEBh 11_2_068E6A28
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 4x nop then jmp 068E9C18h 11_2_068E9720
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 4x nop then jmp 068E7813h 11_2_068E7550
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then jmp 024E7394h 12_2_024E7188
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then jmp 024E78DCh 12_2_024E7688
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 12_2_024E7E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then jmp 024E78DCh 12_2_024E767B
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 12_2_024E7E5B

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49736 -> 212.162.149.53:2049
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49736 -> 212.162.149.53:2049
Source: Network traffic Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:61199 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 212.162.149.53:2049 -> 192.168.2.4:49736
Source: Network traffic Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49740 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 212.162.149.53:2049 -> 192.168.2.4:49736
Source: Network traffic Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:53926 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:53837 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:50249 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49895 -> 13.251.16.150:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 212.162.149.53:2049
Queries random domain names (often used to prevent blacklisting and sinkholes)
Source: unknown DNS traffic detected: English language letter frequency does not match the domain names
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 47
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49736 -> 212.162.149.53:2049
Source: global traffic TCP traffic: 192.168.2.4:49741 -> 51.195.88.199:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 165.160.15.20 165.160.15.20
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 3.94.10.34 3.94.10.34
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.4:49735
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.4:49735
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.4:49806
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.4:49806
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.4:49827
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.4:49827
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.211.97.45:80 -> 192.168.2.4:49988
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.211.97.45:80 -> 192.168.2.4:49988
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.213.104.86:80 -> 192.168.2.4:50145
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.213.104.86:80 -> 192.168.2.4:50145
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49741 -> 51.195.88.199:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /atfsybxv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /gdxe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dggpmrspif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /tynxrhlkri HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /mrl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kngubkdkj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /smyj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /jvvbexlpmq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vpc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /xefutga HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jhywesavwlgnui HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /vuxecawgb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jeppo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qdsfjdjxkwbsc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gkcaxlxcn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /iweslplsltjuljus HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /vuaobjwmdbxko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rvac HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /vdlffosnapnrfupl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hqcfmwvkngoxo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /ehonqic HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /dgdkhxcfkna HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /yeeuocokpp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /caxqycgeiaamd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /dhwxqyxtm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ioeeuacevdof HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /spftv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rcdhheuvsu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /thnor HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ef HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /wbgwmpvkxxw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pfoxkxwneqnmhcsc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /sattbfx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qjmcjynbe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hudnfeopxibfg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dqsc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /qjnulfbcbrtstm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /yr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gobhb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dobp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /uxri HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /prvlplgfktyghiuq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gpnrhxymwwoww HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /sbrspaxifluxyh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /v HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pyjgudwdt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wktespcp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /xraiohcidq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /xykyylrqbfiyxv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fqkauqnsnykhqmm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /fuhcig HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /hnkvsfse HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /sfsrqtr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dboalvdlyo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /ikvygvnodbxw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bdtrq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bql HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /rtktsu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /swl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /yfkb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /rnre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fkekmmmc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /lmccoqeoetyh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mytb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /xdytdotbepaidw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jbtgiilqotksodi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /ewwexq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hvyr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /uyciffjgsguvtk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /smxlcsofdvekwjcg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /hlqwiqs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kpfmyendmvbe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /uitbt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /jfogdd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /eaff HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dhaqnsepv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /gkyxxtcmyqyikvyh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /llqwfg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /ktqlpojqyvkm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /lmmwofqbgibg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /unbrcr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dfhareuduqlkw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /dfkoxo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mag HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /vwiainnwhhxhmrl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qxusu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /jnsspbhiayv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /mwjcsncppbbsr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /olxjktqd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /tcqjjounlnobfq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /lix HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pfqnedtf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /xobu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /ccaldaoawyay HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qsp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /ccrsdbhein HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vmln HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /ngqgkogciouo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mud HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /bylbanfgrbak HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /rginqqoeriix HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /firf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /fkolun HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gxaexbrilqhff HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rmqv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jrt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /tkikmchfy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qujmm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /rcghpbxpojjll HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /kx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /aopjncgsm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /lkksdoxsvitr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /rkvg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qsmoxnmhx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /wgsqpusbi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dpkfjsv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /rtsxpsr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /sywsqcciw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gksshbghniig HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /skudpvsbobr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /flkllmp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /skmiedduquder HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /gs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hjhd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /qmr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /wlirwlunhdx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fapfitlarmcnk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hpebeygkilgsi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /hbbreaeoihjkosw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /qsxryrm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /dw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hph HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /unx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xurncvjdsxxnivfe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ptyighahceku HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: POST /kfucjjkorih HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile, 0_2_0044289D
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic DNS traffic detected: DNS query: s82.gocheapweb.com
Source: global traffic DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic DNS traffic detected: DNS query: przvgke.biz
Source: global traffic DNS traffic detected: DNS query: zlenh.biz
Source: global traffic DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic DNS traffic detected: DNS query: deoci.biz
Source: global traffic DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic DNS traffic detected: DNS query: qaynky.biz
Source: global traffic DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic DNS traffic detected: DNS query: myups.biz
Source: global traffic DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic DNS traffic detected: DNS query: jpskm.biz
Source: global traffic DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic DNS traffic detected: DNS query: vyome.biz
Source: global traffic DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic DNS traffic detected: DNS query: esuzf.biz
Source: global traffic DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic DNS traffic detected: DNS query: brsua.biz
Source: unknown HTTP traffic detected: POST /atfsybxv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:02 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:03 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:17 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:18 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:22 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:22 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:35 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:36 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/
Source: alg.exe, 00000006.00000003.2767578204.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/1gk
Source: alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/3
Source: alg.exe, 00000006.00000003.2118218789.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/;
Source: alg.exe, 00000006.00000003.2767578204.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/O
Source: alg.exe, 00000006.00000003.2866913442.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/m
Source: alg.exe, 00000006.00000003.2118218789.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/ngsO
Source: alg.exe, 00000006.00000003.2118218789.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/o
Source: alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/or
Source: alg.exe, 00000006.00000003.2134781228.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/pfoxkxwneqnmhcsc
Source: alg.exe, 00000006.00000003.2118218789.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2118218789.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/wbgwmpvkxxw
Source: alg.exe, 00000006.00000003.2767578204.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2767578204.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2788435260.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/wgsqpusbi
Source: alg.exe, 00000006.00000003.2866913442.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/wlirwlunhdx
Source: alg.exe, 00000006.00000003.2134781228.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150:80/pfoxkxwneqnmhcsc
Source: alg.exe, 00000006.00000003.2118218789.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150:80/wbgwmpvkxxw
Source: alg.exe, 00000006.00000003.1983164372.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1943793685.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929406153.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2023523733.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929140492.00000000005A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.1
Source: alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.138/
Source: alg.exe, 00000006.00000003.2202750803.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.138/g
Source: alg.exe, 00000006.00000003.2214400223.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.138/i
Source: alg.exe, 00000006.00000003.2202750803.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.138/rO
Source: alg.exe, 00000006.00000003.2214400223.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.138/s
Source: alg.exe, 00000006.00000003.2202750803.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.138/yr
Source: alg.exe, 00000006.00000003.2202750803.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.138/yrfbcbrtstm
Source: alg.exe, 00000006.00000003.2202750803.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.138/yrgsfg
Source: alg.exe, 00000006.00000003.2214400223.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.138:80/iw
Source: alg.exe, 00000006.00000003.2202750803.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.138:80/yrX
Source: alg.exe, 00000006.00000003.1894394555.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1884187147.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1911980728.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1895017111.00000000005A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/qdsfjdjxkwbsc
Source: alg.exe, 00000006.00000003.1983164372.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2081778986.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2063437906.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2100147605.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1943793685.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1894394555.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929406153.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2135520274.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1884187147.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1911980728.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2117644955.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1895017111.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134367323.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2023523733.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929140492.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2097746402.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2135821312.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2099434092.00000000005A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/qdsfjdjxkwbsc7p
Source: alg.exe, 00000006.00000003.2183000451.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2100147605.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2175491692.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183840465.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2135520274.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2156038418.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2117644955.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134367323.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2145188549.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2202750803.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2097746402.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2135821312.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2099434092.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2158059198.00000000005A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.1
Source: alg.exe, 00000006.00000003.1983164372.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2081778986.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2063437906.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1943793685.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2023523733.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10
Source: alg.exe, 00000006.00000003.1983164372.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1943793685.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107
Source: alg.exe, 00000006.00000003.2175491692.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929406153.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1839303243.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2652493230.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929140492.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2674707588.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1839625966.0000000000579000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2594812918.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/0:R
Source: alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/1
Source: alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/3
Source: alg.exe, 00000006.00000003.1839303243.000000000058B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/d
Source: alg.exe, 00000006.00000003.1839303243.000000000058B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/d&UZm
Source: alg.exe, 00000006.00000003.2175491692.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2175491692.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/hudnfeopxibfg
Source: alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/lix
Source: alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/ngs
Source: alg.exe, 00000006.00000003.2183000451.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/qjnulfbcbrtstm
Source: alg.exe, 00000006.00000003.2183000451.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/qjnulfbcbrtstmZ
Source: alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/rginqqoeriix
Source: alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2657080595.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/rginqqoeriixfqRP
Source: alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/rginqqoeriixgs
Source: alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/rginqqoeriixr
Source: alg.exe, 00000006.00000003.2175491692.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/s7
Source: alg.exe, 00000006.00000003.2175491692.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/sO
Source: alg.exe, 00000006.00000003.1929406153.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929140492.00000000005A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/vdlffosnapnrfupl
Source: alg.exe, 00000006.00000003.1912032878.000000000057E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/vuaobjwmdbxko
Source: alg.exe, 00000006.00000003.2183000451.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2262144345.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2214400223.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2229034246.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2202750803.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2156815430.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2175491692.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2118218789.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2081257247.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/dI
Source: alg.exe, 00000006.00000003.2175491692.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/hudnfeopxibfg
Source: alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2657080595.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/ngqgkogciouo
Source: alg.exe, 00000006.00000003.2183000451.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/qjnulfbcbrtstm
Source: alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/rginqqoeriixP
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2262144345.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2694896622.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2594812918.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/
Source: alg.exe, 00000006.00000003.2594812918.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/P3
Source: alg.exe, 00000006.00000003.2262144345.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/gs
Source: alg.exe, 00000006.00000003.2594812918.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/lix
Source: alg.exe, 00000006.00000003.2594812918.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/lixO
Source: alg.exe, 00000006.00000003.2262144345.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2262144345.000000000057B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/prvlplgfktyghiuq
Source: alg.exe, 00000006.00000003.2594812918.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/w
Source: alg.exe, 00000006.00000003.2262144345.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248:80/prvlplgfktyghiuq
Source: alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/
Source: alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/O
Source: alg.exe, 00000006.00000003.2528797905.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2516552846.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2478943673.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2504519718.000000000057C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/eaff
Source: alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/eaff7
Source: alg.exe, 00000006.00000003.2505676462.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/gs?
Source: alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/jfogdd
Source: alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/jfogdd4/
Source: alg.exe, 00000006.00000003.2478943673.000000000057C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/jfogddQBrows
Source: alg.exe, 00000006.00000003.2505676462.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/k
Source: alg.exe, 00000006.00000003.2919770823.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2919519329.00000000005CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.94.10.34/
Source: alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.94.10.34/dwm
Source: alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.94.10.34/unxx
Source: alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.94.10.34:80/unxS0
Source: alg.exe, 00000006.00000003.2894328547.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2788435260.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/
Source: alg.exe, 00000006.00000003.2505676462.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/f1ff7
Source: alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/hbbreaeoihjkosw
Source: alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/hbbreaeoihjkoswM
Source: alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/n
Source: alg.exe, 00000006.00000003.2788435260.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/sywsqcciw
Source: alg.exe, 00000006.00000003.2788435260.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/sywsqcciwings
Source: alg.exe, 00000006.00000003.2788435260.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45:80/sywsqcciw
Source: alg.exe, 00000006.00000003.2229034246.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/
Source: alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/Uw
Source: alg.exe, 00000006.00000003.2243645875.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.0000000000591000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/dobp
Source: alg.exe, 00000006.00000003.2229034246.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/gobhb
Source: alg.exe, 00000006.00000003.2229034246.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/gobhbq
Source: alg.exe, 00000006.00000003.2229034246.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/gobhbstm
Source: alg.exe, 00000006.00000003.2229034246.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/gs
Source: alg.exe, 00000006.00000003.2262144345.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/gs?
Source: alg.exe, 00000006.00000003.2229034246.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2262144345.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/obhb
Source: alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/s
Source: alg.exe, 00000006.00000003.2243645875.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160:80/dobpp9U
Source: alg.exe, 00000006.00000003.2229034246.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160:80/gobhbp9U
Source: alg.exe, 00000006.00000003.2383978998.0000000000591000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://35.164.78.200/swlP
Source: alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2674707588.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/
Source: alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/1G
Source: alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2674707588.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/3
Source: alg.exe, 00000006.00000003.2674707588.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/3s
Source: alg.exe, 00000006.00000003.2674707588.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/fkolun
Source: alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/kfucjjkorih
Source: alg.exe, 00000006.00000002.2941335928.000000000057A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/kfucjjkorihivfeP
Source: alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/ngs
Source: alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/ngs?
Source: alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/xurncvjdsxxnivfe
Source: alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86:80/kfucjjkorih
Source: alg.exe, 00000006.00000003.2156815430.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/1
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2156815430.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/3
Source: alg.exe, 00000006.00000003.2156815430.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/3k
Source: alg.exe, 00000006.00000003.2767578204.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2827357031.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2788435260.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2657080595.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2866913442.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/ccaldaoawyay
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/ccrsdbhein
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/ccrsdbheinq
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/lix
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/lixO
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/ngs
Source: alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/ngs;
Source: alg.exe, 00000006.00000003.2156815430.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2156038418.0000000000591000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/qjmcjynbe
Source: alg.exe, 00000006.00000003.2156815430.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/qjmcjynbenmhcsc
Source: alg.exe, 00000006.00000003.2156815430.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/sattbfx
Source: alg.exe, 00000006.00000003.2144815434.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/sattbfxc
Source: alg.exe, 00000006.00000003.2156815430.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105:80/qjmcjynbe
Source: alg.exe, 00000006.00000003.2144815434.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105:80/sattbfx
Source: alg.exe, 00000006.00000003.2081257247.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2081257247.0000000000522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/
Source: alg.exe, 00000006.00000003.2081257247.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/3
Source: alg.exe, 00000006.00000003.2827357031.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/38UU
Source: alg.exe, 00000006.00000003.2081257247.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/3O
Source: alg.exe, 00000006.00000003.2827357031.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/P
Source: alg.exe, 00000006.00000003.2827357031.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2866913442.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/gss
Source: alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/hnor
Source: alg.exe, 00000006.00000003.2081257247.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/rcdhheuvsu
Source: alg.exe, 00000006.00000003.2081257247.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/rcdhheuvsungs
Source: alg.exe, 00000006.00000003.2827357031.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/skudpvsbobr
Source: alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2097746402.0000000000591000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/thnor
Source: alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/thnorfupl
Source: alg.exe, 00000006.00000003.2081257247.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/w
Source: alg.exe, 00000006.00000003.2081257247.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212:80/rcdhheuvsu
Source: alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212:80/thnoruvsu
Source: alg.exe, 00000006.00000003.1805613822.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/
Source: alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2118218789.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2081257247.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/)
Source: alg.exe, 00000006.00000003.1805613822.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/W
Source: alg.exe, 00000006.00000003.1805613822.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/Wp%XG
Source: microsofts.exe, 00000004.00000003.1816024816.00000000052DE000.00000004.00000020.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1816196442.00000000052DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/atfsybxv
Source: alg.exe, 00000006.00000003.1794897070.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1805271215.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1794740931.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1805613822.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/gdxe
Source: alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/s
Source: alg.exe, 00000006.00000003.2517221404.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/s3
Source: alg.exe, 00000006.00000003.1805948107.0000000000579000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1805271215.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1805613822.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/tynxrhlkri
Source: alg.exe, 00000006.00000003.2517221404.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/unbrcr
Source: alg.exe, 00000006.00000003.2517221404.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/unbrcrq
Source: alg.exe, 00000006.00000003.1794897070.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/w
Source: alg.exe, 00000006.00000003.1860570785.0000000000591000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/xefutga
Source: alg.exe, 00000006.00000003.1943268512.000000000057E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/dgdkhxcfkna30-9FD785CD71B6
Source: alg.exe, 00000006.00000003.2023146343.000000000057E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/dhwxqyxtm
Source: build.exe, 0000000B.00000002.1941870449.000000000094E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://purl.oen
Source: alg.exe, 00000006.00000003.2183000451.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2202750803.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2156815430.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2175491692.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2118218789.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2081257247.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pywolwnvd.biz/
Source: build.exe, 0000000B.00000002.1946375903.0000000002774000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: alg.exe, 00000006.00000003.2788435260.0000000000528000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://vrrazpdh.biz/
Source: microsofts.exe, 00000004.00000003.2186972016.00000000062D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: microsofts.exe, 00000004.00000003.2073816640.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, Native_Redline_BTC.exe, 00000005.00000002.1795311525.0000000012787000.00000004.00000800.00020000.00000000.sdmp, Native_Redline_BTC.exe, 00000005.00000002.1795311525.00000000127D2000.00000004.00000800.00020000.00000000.sdmp, Native_Redline_BTC.exe, 00000005.00000002.1795311525.00000000126F9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000000.1782677998.0000000000332000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: microsofts.exe, 00000004.00000003.2289955796.00000000050F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: microsofts.exe, 00000004.00000003.2290998834.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2291225690.00000000050F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\microsofts.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 2_2_00459FFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00456354
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Window created: window name: CLIPBRDWNDCLASS
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0047C08E
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 2_2_0047C08E

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.svchost.exe.5c00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.microsofts.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1767717625.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00434D50
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004461ED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 2_2_004364AA
Creates files inside the system directory
Source: C:\Windows\System32\alg.exe File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\76fb15a314ced2a4.bin
Source: C:\Windows\System32\wbengine.exe File created: C:\Windows\Logs\WindowsBackup
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00409A40 0_2_00409A40
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00412038 0_2_00412038
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0047E1FA 0_2_0047E1FA
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0041A46B 0_2_0041A46B
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0041240C 0_2_0041240C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004045E0 0_2_004045E0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00412818 0_2_00412818
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0047CBF0 0_2_0047CBF0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0044EBBC 0_2_0044EBBC
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00412C38 0_2_00412C38
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0044ED9A 0_2_0044ED9A
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0041AF0D 0_2_0041AF0D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00427161 0_2_00427161
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004212BE 0_2_004212BE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00443390 0_2_00443390
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00443391 0_2_00443391
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0041D750 0_2_0041D750
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004037E0 0_2_004037E0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00427859 0_2_00427859
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0040F890 0_2_0040F890
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0042397B 0_2_0042397B
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00411B63 0_2_00411B63
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00423EBF 0_2_00423EBF
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0567CB08 0_2_0567CB08
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00409A40 2_2_00409A40
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00412038 2_2_00412038
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0047E1FA 2_2_0047E1FA
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0041A46B 2_2_0041A46B
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0041240C 2_2_0041240C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_004045E0 2_2_004045E0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00412818 2_2_00412818
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0047CBF0 2_2_0047CBF0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0044EBBC 2_2_0044EBBC
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00412C38 2_2_00412C38
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0044ED9A 2_2_0044ED9A
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00424F70 2_2_00424F70
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0041AF0D 2_2_0041AF0D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00427161 2_2_00427161
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_004212BE 2_2_004212BE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00443390 2_2_00443390
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00443391 2_2_00443391
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0041D750 2_2_0041D750
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_004037E0 2_2_004037E0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00427859 2_2_00427859
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0040F890 2_2_0040F890
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0042397B 2_2_0042397B
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00411B63 2_2_00411B63
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00423EBF 2_2_00423EBF
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_056A1A68 2_2_056A1A68
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052BD580 3_2_052BD580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_05287F80 3_2_05287F80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052B3780 3_2_052B3780
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052BC7F0 3_2_052BC7F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052C39A3 3_2_052C39A3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052B5980 3_2_052B5980
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_05286EAF 3_2_05286EAF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052851EE 3_2_052851EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052C00D9 3_2_052C00D9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_05287B6C 3_2_05287B6C
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Code function: 4_3_006A0C8C 4_3_006A0C8C
Source: C:\Windows\System32\alg.exe Code function: 6_2_0071A810 6_2_0071A810
Source: C:\Windows\System32\alg.exe Code function: 6_2_006F7C00 6_2_006F7C00
Source: C:\Windows\System32\alg.exe Code function: 6_2_00722D40 6_2_00722D40
Source: C:\Windows\System32\alg.exe Code function: 6_2_006F79F0 6_2_006F79F0
Source: C:\Windows\System32\alg.exe Code function: 6_2_0071EEB0 6_2_0071EEB0
Source: C:\Windows\System32\alg.exe Code function: 6_2_007192A0 6_2_007192A0
Source: C:\Windows\System32\alg.exe Code function: 6_2_007193B0 6_2_007193B0
Source: C:\Windows\System32\AppVClient.exe Code function: 10_2_00B8A810 10_2_00B8A810
Source: C:\Windows\System32\AppVClient.exe Code function: 10_2_00B67C00 10_2_00B67C00
Source: C:\Windows\System32\AppVClient.exe Code function: 10_2_00B679F0 10_2_00B679F0
Source: C:\Windows\System32\AppVClient.exe Code function: 10_2_00B92D40 10_2_00B92D40
Source: C:\Windows\System32\AppVClient.exe Code function: 10_2_00B8EEB0 10_2_00B8EEB0
Source: C:\Windows\System32\AppVClient.exe Code function: 10_2_00B892A0 10_2_00B892A0
Source: C:\Windows\System32\AppVClient.exe Code function: 10_2_00B893B0 10_2_00B893B0
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 11_2_0099DC74 11_2_0099DC74
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 11_2_068EC3F8 11_2_068EC3F8
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 11_2_068E6A28 11_2_068E6A28
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 11_2_068EB7F0 11_2_068EB7F0
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 11_2_068E9720 11_2_068E9720
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 11_2_068E7F60 11_2_068E7F60
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 11_2_068E3E1A 11_2_068E3E1A
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 11_2_068E3E28 11_2_068E3E28
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 12_2_024E85C8 12_2_024E85C8
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 12_2_024E85B7 12_2_024E85B7
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_00DDA810 15_2_00DDA810
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_00DB7C00 15_2_00DB7C00
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_00DB79F0 15_2_00DB79F0
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_00DE2D40 15_2_00DE2D40
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_00DDEEB0 15_2_00DDEEB0
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_00DD92A0 15_2_00DD92A0
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_00DD93B0 15_2_00DD93B0
Enables driver privileges
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Load Driver
Enables security privileges
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Security
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: String function: 00425210 appears 56 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: String function: 00445975 appears 130 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: String function: 0041171A appears 74 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: String function: 0041832D appears 52 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: String function: 004136BC appears 36 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: String function: 004092C0 appears 50 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: String function: 0041718C appears 88 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: String function: 00401B70 appears 46 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: String function: 0040E6D0 appears 70 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: String function: 0043362D appears 38 times
PE file contains executable resources (Code or Archives)
Source: chrmstp.exe.4.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: chrmstp.exe.4.dr Static PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
Source: setup.exe.4.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: setup.exe.4.dr Static PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
Source: 117.0.5938.132_chrome_installer.exe.4.dr Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: 117.0.5938.132_chrome_installer.exe.4.dr Static PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1522998 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 133 datablocks, 0x1203 compression
PE file contains more sections than normal
Source: elevation_service.exe.4.dr Static PE information: Number of sections : 12 > 10
Source: notification_helper.exe.4.dr Static PE information: Number of sections : 13 > 10
Source: chrmstp.exe.4.dr Static PE information: Number of sections : 14 > 10
Source: elevation_service.exe0.4.dr Static PE information: Number of sections : 12 > 10
Source: chrome_proxy.exe.4.dr Static PE information: Number of sections : 12 > 10
Source: chrome_pwa_launcher.exe.4.dr Static PE information: Number of sections : 13 > 10
Source: setup.exe.4.dr Static PE information: Number of sections : 14 > 10
Sample file is different than original file name gathered from version info
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720413615.0000000003AD3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720096215.0000000003C7D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1753278663.0000000004133000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1752650308.000000000405D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys
Uses 32bit PE files
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 3.2.svchost.exe.5c00000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.microsofts.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1767717625.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: armsvc.exe.3.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: appvcleaner.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVShNotify.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: IntegratedOffice.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MavInject32.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OfficeC2RClient.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_helper.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_proxy.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.3.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: appvcleaner.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVShNotify.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: IntegratedOffice.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MavInject32.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OfficeC2RClient.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_helper.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_proxy.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Native_Redline_BTC.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Native_Redline_BTC.exe.3.dr, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: Native_Redline_BTC.exe.3.dr, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.svchost.exe.6800000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.svchost.exe.6800000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@49/171@89/20
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0044AF5C GetLastError,FormatMessageW, 0_2_0044AF5C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464422
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 2_2_00464422
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 2_2_004364AA
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D517
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle, 0_2_0043701F
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket, 0_2_0047A999
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043614F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052ACBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW, 3_2_052ACBD0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Roaming\76fb15a314ced2a4.bin Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-76fb15a314ced2a47d8e3ee9-b
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-76fb15a314ced2a4-inf
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\alg.exe Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-76fb15a314ced2a49ea72c54-b
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe File created: C:\Users\user\AppData\Local\Temp\anaboly Jump to behavior
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe File read: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Process created: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\microsofts.exe "C:\Users\user\AppData\Local\Temp\microsofts.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe "C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe"
Source: unknown Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE6E4.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: unknown Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: unknown Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: unknown Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown Process created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
Source: unknown Process created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
Source: unknown Process created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
Source: unknown Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: unknown Process created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
Source: unknown Process created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Process created: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\microsofts.exe "C:\Users\user\AppData\Local\Temp\microsofts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe "C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE6E4.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\alg.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\alg.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\alg.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\alg.exe Section loaded: mpr.dll
Source: C:\Windows\System32\alg.exe Section loaded: secur32.dll
Source: C:\Windows\System32\alg.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\alg.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\alg.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\alg.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\alg.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\alg.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\alg.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\alg.exe Section loaded: webio.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: appvpolicy.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: userenv.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: wtsapi32.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: netapi32.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: secur32.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: wininet.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: netutils.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: samcli.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: mpr.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: appmanagementconfiguration.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: mpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtctm.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtcprx.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtclog.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: xolehlp.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mpr.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: comres.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtcvsp1res.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mtxoci.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: oci.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: netutils.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: hid.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: devobj.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: mpr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: secur32.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\Locator.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\Locator.exe Section loaded: mpr.dll
Source: C:\Windows\System32\Locator.exe Section loaded: secur32.dll
Source: C:\Windows\System32\Locator.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\Locator.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\Locator.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\Locator.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: mpr.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: secur32.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: mfplat.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: rtworkq.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: windows.devices.perception.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: mediafoundation.defaultperceptionprovider.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: propsys.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: structuredquery.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: profapi.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: windows.globalization.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: icu.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: mswb7.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: devdispitemprovider.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: mpr.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: secur32.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\Spectrum.exe Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Static file information: File size 5948349 > 1048576
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: microsofts.exe, 00000004.00000003.2465813409.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: svchost.exe, 00000003.00000003.1756263146.0000000005F80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: microsofts.exe, 00000004.00000003.2535618348.0000000000950000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2550990774.00000000006A0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2537430293.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msiexec.pdb source: microsofts.exe, 00000004.00000003.1874170797.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: microsofts.exe, 00000004.00000003.2132562567.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ssh-agent.pdb source: microsofts.exe, 00000004.00000003.1970375777.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: microsofts.exe, 00000004.00000003.2273795210.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: microsofts.exe, 00000004.00000003.2273795210.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdb source: microsofts.exe, 00000004.00000003.2291929777.00000000050F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msiexec.pdbGCTL source: microsofts.exe, 00000004.00000003.1874170797.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdb source: microsofts.exe, 00000004.00000003.1804702761.0000000006F10000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdbGCTL source: microsofts.exe, 00000004.00000003.2609486912.0000000000960000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2600977787.0000000002200000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerceptionSimulationService.pdb source: microsofts.exe, 00000004.00000003.1889865895.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: _.pdb source: microsofts.exe, 00000004.00000003.1766272892.00000000007DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720096215.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720413615.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1753388462.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1752883994.0000000003D90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: microsofts.exe, 00000004.00000003.2238300524.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MsSense.pdbGCTL source: microsofts.exe, 00000004.00000003.1920494717.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MsSense.pdb source: microsofts.exe, 00000004.00000003.1920494717.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: microsofts.exe, 00000004.00000003.2581195964.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: microsofts.exe, 00000004.00000003.2476925381.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2486068862.00000000006A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WmiApSrv.pdbGCTL source: microsofts.exe, 00000004.00000003.2033704180.0000000006F00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: microsofts.exe, 00000004.00000003.2327436015.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb((( source: microsofts.exe, 00000004.00000003.2145606986.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: locator.pdb source: microsofts.exe, 00000004.00000003.1905105470.0000000006350000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1916280568.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: microsofts.exe, 00000004.00000003.1781654069.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdbCC9 source: microsofts.exe, 00000004.00000003.2291929777.00000000050F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: microsofts.exe, 00000004.00000003.2160142742.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb source: microsofts.exe, 00000004.00000003.2145606986.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: microsofts.exe, 00000004.00000003.2535618348.0000000000950000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2550990774.00000000006A0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2537430293.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: microsofts.exe, 00000004.00000003.2238300524.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: microsofts.exe, 00000004.00000003.2355859647.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: microsofts.exe, 00000004.00000003.2132562567.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdb source: microsofts.exe, 00000004.00000003.2609486912.0000000000960000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2600977787.0000000002200000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb source: microsofts.exe, 00000004.00000003.1854476964.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: snmptrap.pdbGCTL source: microsofts.exe, 00000004.00000003.1940610089.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msdtcexe.pdbGCTL source: microsofts.exe, 00000004.00000003.1859196474.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerceptionSimulationService.pdbGCTL source: microsofts.exe, 00000004.00000003.1889865895.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 64BitMAPIBroker.pdb source: microsofts.exe, 00000004.00000003.2439350097.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerfHost.pdbGCTL source: microsofts.exe, 00000004.00000003.1896655329.0000000006340000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1902674598.0000000005050000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1897809499.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: microsofts.exe, 00000004.00000003.2581195964.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: microsofts.exe, 00000004.00000003.2414424613.00000000008E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: microsofts.exe, 00000004.00000003.2327436015.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerfHost.pdb source: microsofts.exe, 00000004.00000003.1896655329.0000000006340000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1902674598.0000000005050000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1897809499.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: microsofts.exe, 00000004.00000003.2420910878.00000000008E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: microsofts.exe, 00000004.00000003.2465813409.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: microsofts.exe, 00000004.00000003.2355859647.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb` source: microsofts.exe, 00000004.00000003.1854476964.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: microsofts.exe, 00000004.00000003.2476925381.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2486068862.00000000006A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720096215.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720413615.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1753388462.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1752883994.0000000003D90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WmiApSrv.pdb source: microsofts.exe, 00000004.00000003.2033704180.0000000006F00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TieringEngineService.pdb source: microsofts.exe, 00000004.00000003.1980310877.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TieringEngineService.pdbGCTL source: microsofts.exe, 00000004.00000003.1980310877.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: microsofts.exe, 00000004.00000003.2363749332.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdb source: microsofts.exe, 00000004.00000003.1766237277.0000000005070000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msdtcexe.pdb source: microsofts.exe, 00000004.00000003.1859196474.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: microsofts.exe, 00000004.00000003.1781654069.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdbGCTL source: microsofts.exe, 00000004.00000003.1766237277.0000000005070000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: microsofts.exe, 00000004.00000003.1804702761.0000000006F10000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: locator.pdbGCTL source: microsofts.exe, 00000004.00000003.1905105470.0000000006350000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1916280568.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: microsofts.exe, 00000004.00000003.2160142742.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ssh-agent.pdbX source: microsofts.exe, 00000004.00000003.1970375777.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: snmptrap.pdb source: microsofts.exe, 00000004.00000003.1940610089.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: microsofts.exe, 00000004.00000003.2420910878.00000000008E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: microsofts.exe, 00000004.00000003.2363749332.00000000008D0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: Native_Redline_BTC.exe.3.dr, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.svchost.exe.6800000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Binary contains a suspicious time stamp
Source: appvcleaner.exe.4.dr Static PE information: 0xBEAF7172 [Mon May 18 10:01:22 2071 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
PE file contains an invalid checksum
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Static PE information: real checksum: 0xa2135 should be: 0x5b2ac2
Source: armsvc.exe.3.dr Static PE information: real checksum: 0x32318 should be: 0x141787
Source: Native_Redline_BTC.exe.3.dr Static PE information: real checksum: 0x0 should be: 0x9799b
PE file contains sections with non-standard names
Source: armsvc.exe.3.dr Static PE information: section name: .didat
Source: IntegratedOffice.exe.4.dr Static PE information: section name: .didat
Source: IntegratedOffice.exe.4.dr Static PE information: section name: _RDATA
Source: OfficeC2RClient.exe.4.dr Static PE information: section name: .didat
Source: OfficeC2RClient.exe.4.dr Static PE information: section name: .detourc
Source: officesvcmgr.exe.4.dr Static PE information: section name: .didat
Source: chrome_pwa_launcher.exe.4.dr Static PE information: section name: .00cfg
Source: chrome_pwa_launcher.exe.4.dr Static PE information: section name: .gxfg
Source: chrome_pwa_launcher.exe.4.dr Static PE information: section name: .retplne
Source: chrome_pwa_launcher.exe.4.dr Static PE information: section name: LZMADEC
Source: chrome_pwa_launcher.exe.4.dr Static PE information: section name: _RDATA
Source: chrome_pwa_launcher.exe.4.dr Static PE information: section name: malloc_h
Source: chrmstp.exe.4.dr Static PE information: section name: .00cfg
Source: chrmstp.exe.4.dr Static PE information: section name: .gxfg
Source: chrmstp.exe.4.dr Static PE information: section name: .retplne
Source: chrmstp.exe.4.dr Static PE information: section name: CPADinfo
Source: chrmstp.exe.4.dr Static PE information: section name: LZMADEC
Source: chrmstp.exe.4.dr Static PE information: section name: _RDATA
Source: chrmstp.exe.4.dr Static PE information: section name: malloc_h
Source: setup.exe.4.dr Static PE information: section name: .00cfg
Source: setup.exe.4.dr Static PE information: section name: .gxfg
Source: setup.exe.4.dr Static PE information: section name: .retplne
Source: setup.exe.4.dr Static PE information: section name: CPADinfo
Source: setup.exe.4.dr Static PE information: section name: LZMADEC
Source: setup.exe.4.dr Static PE information: section name: _RDATA
Source: setup.exe.4.dr Static PE information: section name: malloc_h
Source: notification_helper.exe.4.dr Static PE information: section name: .00cfg
Source: notification_helper.exe.4.dr Static PE information: section name: .gxfg
Source: notification_helper.exe.4.dr Static PE information: section name: .retplne
Source: notification_helper.exe.4.dr Static PE information: section name: CPADinfo
Source: notification_helper.exe.4.dr Static PE information: section name: _RDATA
Source: notification_helper.exe.4.dr Static PE information: section name: malloc_h
Source: chrome_proxy.exe.4.dr Static PE information: section name: .00cfg
Source: chrome_proxy.exe.4.dr Static PE information: section name: .gxfg
Source: chrome_proxy.exe.4.dr Static PE information: section name: .retplne
Source: chrome_proxy.exe.4.dr Static PE information: section name: _RDATA
Source: chrome_proxy.exe.4.dr Static PE information: section name: malloc_h
Source: FXSSVC.exe.4.dr Static PE information: section name: .didat
Source: GoogleCrashHandler64.exe.4.dr Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.4.dr Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.4.dr Static PE information: section name: .gehcont
Source: alg.exe.4.dr Static PE information: section name: .didat
Source: GoogleUpdateComRegisterShell64.exe.4.dr Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.4.dr Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.4.dr Static PE information: section name: .gehcont
Source: elevation_service.exe.4.dr Static PE information: section name: .00cfg
Source: elevation_service.exe.4.dr Static PE information: section name: .gxfg
Source: elevation_service.exe.4.dr Static PE information: section name: .retplne
Source: elevation_service.exe.4.dr Static PE information: section name: _RDATA
Source: elevation_service.exe.4.dr Static PE information: section name: malloc_h
Source: elevation_service.exe0.4.dr Static PE information: section name: .00cfg
Source: elevation_service.exe0.4.dr Static PE information: section name: .gxfg
Source: elevation_service.exe0.4.dr Static PE information: section name: .retplne
Source: elevation_service.exe0.4.dr Static PE information: section name: _RDATA
Source: elevation_service.exe0.4.dr Static PE information: section name: malloc_h
Source: 117.0.5938.132_chrome_installer.exe.4.dr Static PE information: section name: .00cfg
Source: 117.0.5938.132_chrome_installer.exe.4.dr Static PE information: section name: .retplne
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_004171D1 push ecx; ret 2_2_004171E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_004038DF pushfd ; ret 3_2_004038E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_004068EF push ebp; ret 3_2_004068F3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_004030A3 push edx; ret 3_2_004030A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A852Eh; ret 3_2_052A7F3A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A8514h; ret 3_2_052A7F66
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A7E66h; ret 3_2_052A8057
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A817Ah; ret 3_2_052A808B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A82E5h; ret 3_2_052A80D9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A826Ah; ret 3_2_052A819E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A849Ch; ret 3_2_052A81E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A805Ch; ret 3_2_052A8255
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A8321h; ret 3_2_052A82E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A7FBFh; ret 3_2_052A831F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A7FA8h; ret 3_2_052A834C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A84BAh; ret 3_2_052A83E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A8426h; ret 3_2_052A84D8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A8075h; ret 3_2_052A84FD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A808Ch; ret 3_2_052A8512
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A8B6Fh; ret 3_2_052A8596
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A8D45h; ret 3_2_052A87D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A8AB5h; ret 3_2_052A8B13
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A8784h; ret 3_2_052A8CA1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A8DC9h; ret 3_2_052A8E1C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A8D14h; ret 3_2_052A8E2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A8674h; ret 3_2_052A8E4D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A88A6h; ret 3_2_052A8F76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 push 052A868Ch; ret 3_2_052A8FA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A7DF0 push 052A7D4Bh; ret 3_2_052A7D80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A7DF0 push 052A7DD7h; ret 3_2_052A7D9F
Source: Native_Redline_BTC.exe.3.dr Static PE information: section name: .text entropy: 7.954598996291746
Source: appvcleaner.exe.4.dr Static PE information: section name: .reloc entropy: 7.935649368853308
Source: Aut2exe.exe.4.dr Static PE information: section name: .rsrc entropy: 7.800660406797518
Source: Aut2exe_x64.exe.4.dr Static PE information: section name: .rsrc entropy: 7.800511460517213
Source: AutoIt3_x64.exe.4.dr Static PE information: section name: .reloc entropy: 7.943942511952566
Source: SciTE.exe.4.dr Static PE information: section name: .reloc entropy: 7.912333689161405
Source: IntegratedOffice.exe.4.dr Static PE information: section name: .reloc entropy: 7.926776725780685
Source: jucheck.exe.4.dr Static PE information: section name: .reloc entropy: 7.931087582579306
Source: OfficeC2RClient.exe.4.dr Static PE information: section name: .reloc entropy: 7.716526540372571
Source: officesvcmgr.exe.4.dr Static PE information: section name: .reloc entropy: 7.937225704368736
Source: chrome_pwa_launcher.exe.4.dr Static PE information: section name: .reloc entropy: 7.940599038437646
Source: chrmstp.exe.4.dr Static PE information: section name: .reloc entropy: 7.9410103279415365
Source: setup.exe.4.dr Static PE information: section name: .reloc entropy: 7.941028317629505
Source: notification_helper.exe.4.dr Static PE information: section name: .reloc entropy: 7.941944744745806
Source: chrome_proxy.exe.4.dr Static PE information: section name: .reloc entropy: 7.939829916797662
Source: FXSSVC.exe.4.dr Static PE information: section name: .reloc entropy: 7.942280026799597
Source: jusched.exe.4.dr Static PE information: section name: .reloc entropy: 7.93606148486302
Source: AppVClient.exe.4.dr Static PE information: section name: .reloc entropy: 7.936534497052191
Source: elevation_service.exe.4.dr Static PE information: section name: .reloc entropy: 7.943955306015417
Source: elevation_service.exe0.4.dr Static PE information: section name: .reloc entropy: 7.945963164508881
Source: 117.0.5938.132_chrome_installer.exe.4.dr Static PE information: section name: .reloc entropy: 7.93477726184914
Source: Native_Redline_BTC.exe.3.dr, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'vBXN2xV7mCTjW', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.svchost.exe.6800000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'vBXN2xV7mCTjW', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\alg.exe File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\76fb15a314ced2a4.bin
Drops executable to a common third party application directory
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\wbem\WmiApSrv.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\vds.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\alg.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\7zFM.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\snmptrap.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\Spectrum.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\Locator.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\7z.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\AppVClient.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\SysWOW64\perfhost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\7zG.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\msiexec.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\VSSVC.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\wbengine.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\SearchIndexer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\TieringEngineService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\AgentService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\FXSSVC.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\SensorDataService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\msdtc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\microsofts.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\vds.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\snmptrap.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\Spectrum.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Windows Media Player\wmpnetwk.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\Locator.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\7-Zip\7z.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\AppVClient.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\SysWOW64\perfhost.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\7-Zip\7zG.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\msiexec.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe File created: C:\Users\user\AppData\Local\Temp\build.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\TieringEngineService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\firefox.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\updater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\FXSSVC.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\SensorDataService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\msdtc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\wbem\WmiApSrv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\alg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\7-Zip\7zFM.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\VSSVC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\wbengine.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\SearchIndexer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\AgentService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\OpenSSH\ssh-agent.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\snmptrap.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\Spectrum.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\Locator.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\AgentService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\VSSVC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\wbengine.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\wbem\WmiApSrv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\SearchIndexer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\AppVClient.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\FXSSVC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\TieringEngineService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\vds.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\OpenSSH\ssh-agent.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\alg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\SysWOW64\perfhost.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\msiexec.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\SensorDataService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\msdtc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052ACBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW, 3_2_052ACBD0

Hooking and other Techniques for Hiding and Protection
barindex
Creates files inside the volume driver (system volume information)
Source: C:\Windows\System32\TieringEngineService.exe File created: C:\System Volume Information\Heat\
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_004772DE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 2_2_004772DE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 2_2_004375B0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to behave differently if execute on a Russian/Kazak computer
Source: C:\Windows\System32\alg.exe Code function: 6_2_006F52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 6_2_006F52A0
Source: C:\Windows\System32\AppVClient.exe Code function: 10_2_00B652A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 10_2_00B652A0
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_00DB52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 15_2_00DB52A0
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00444078 0_2_00444078
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00444078 2_2_00444078
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe API/Special instruction interceptor: Address: 567C72C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe API/Special instruction interceptor: Address: 56A168C
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Memory allocated: 2DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Memory allocated: 2E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Memory allocated: 4E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Memory allocated: 2490000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Memory allocated: 1A6F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe Memory allocated: 990000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe Memory allocated: 26A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe Memory allocated: 46A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 24E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 2690000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 4690000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 3100000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 3320000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 3120000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 2200000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 2440000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 2200000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 9F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 2660000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 23C0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 599859 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 599727 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 599503 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 599129 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598876 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598750 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598640 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598421 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598190 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598062 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597953 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597830 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597562 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597225 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597044 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 596576 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Window / User API: threadDelayed 5356 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Window / User API: threadDelayed 4269 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Window / User API: threadDelayed 1281
Source: C:\Users\user\AppData\Local\Temp\build.exe Window / User API: threadDelayed 2078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8625
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1042
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Window / User API: threadDelayed 8386
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Window / User API: threadDelayed 1404
Source: C:\Windows\System32\msdtc.exe Window / User API: threadDelayed 486
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\System32\FXSSVC.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\alg.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\AppVClient.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe API coverage: 3.3 %
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe API coverage: 3.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -599859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -599727s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -599503s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -599129s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -598876s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -598750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -598640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -598531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -598421s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -598312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -598190s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -598062s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -597953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -597830s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -597703s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -597562s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -597375s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -597225s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -597044s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -596576s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -596250s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -99828s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -99717s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -99608s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -99460s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -99343s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -99234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -99125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -99015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -98906s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -98796s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -98687s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -98578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -98468s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -98359s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -98245s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -98124s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -97995s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -97890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -97691s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -97361s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -97172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -97062s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -96952s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -96842s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -96719s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -96608s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -96500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -96389s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -96279s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -96172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -96060s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -95953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704 Thread sleep time: -95843s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe TID: 6584 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 7008 Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7472 Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 5800 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 2896 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504 Thread sleep count: 8625 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7628 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7492 Thread sleep count: 1042 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7748 Thread sleep time: -503160000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7748 Thread sleep time: -84240000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 7608 Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7676 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 8036 Thread sleep count: 486 > 30
Source: C:\Windows\System32\msdtc.exe TID: 8036 Thread sleep time: -48600s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7400 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 2_2_00452126
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 2_2_0045C999
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 2_2_00436ADE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00434BEE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 2_2_00436D2D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00442E1F
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0045DD7C FindFirstFileW,FindClose, 2_2_0045DD7C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 2_2_0044BD29
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 2_2_00475FE5
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 2_2_0044BF8D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 599859 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 599727 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 599503 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 599129 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598876 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598750 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598640 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598421 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598190 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 598062 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597953 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597830 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597562 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597225 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 597044 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 596576 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99828 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99717 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99608 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99460 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99343 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99125 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99015 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98906 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98796 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98687 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98578 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98468 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98359 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98245 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98124 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97995 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97890 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97691 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97361 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97172 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97062 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 96952 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 96842 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 96719 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 96608 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 96500 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 96389 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 96279 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 96172 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 96060 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 95953 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 95843 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe Jump to behavior
Source: Spectrum.exe, 00000026.00000002.2955514791.0000000000673000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fn_VMware
Source: build.exe, 0000000B.00000002.1944647135.0000000000A73000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~g
Source: Native_Redline_BTC.exe, 00000005.00000002.1786360966.00000000008E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000002.1754625306.0000000000928000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: microsofts.exe, 00000004.00000003.1816196442.00000000052C0000.00000004.00000020.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1816024816.00000000052A7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2478943673.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2652860040.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2695381879.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2458706033.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2099434092.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2616774980.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2063437906.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1983164372.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1805271215.0000000000591000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Spectrum.exe, 00000026.00000002.2955514791.0000000000673000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PAgSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000X
Source: AppVClient.exe, 0000000A.00000003.1778472848.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000A.00000003.1778383567.00000000004C0000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000A.00000002.1779210213.00000000004DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
Source: alg.exe, 00000006.00000003.2183000451.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2767578204.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2827357031.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2262144345.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2214400223.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2229034246.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2202750803.0000000000528000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Spectrum.exe, 00000026.00000002.2955514791.0000000000673000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JNECVMWar VMware SATA CD00
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 11_2_068E7F60 LdrInitializeThunk, 11_2_068E7F60
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0045A259 BlockInput, 0_2_0045A259
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0567B358 mov eax, dword ptr fs:[00000030h] 0_2_0567B358
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0567C9F8 mov eax, dword ptr fs:[00000030h] 0_2_0567C9F8
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0567C998 mov eax, dword ptr fs:[00000030h] 0_2_0567C998
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_056A02B8 mov eax, dword ptr fs:[00000030h] 2_2_056A02B8
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_056A1958 mov eax, dword ptr fs:[00000030h] 2_2_056A1958
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_056A18F8 mov eax, dword ptr fs:[00000030h] 2_2_056A18F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052C3F3D mov eax, dword ptr fs:[00000030h] 3_2_052C3F3D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_05281130 mov eax, dword ptr fs:[00000030h] 3_2_05281130
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_00426DA1
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0042202E SetUnhandledExceptionFilter, 0_2_0042202E
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004230F5
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417D93
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00421FA7
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0042202E SetUnhandledExceptionFilter, 2_2_0042202E
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_004230F5
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00417D93
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00421FA7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_004015D7 SetUnhandledExceptionFilter, 3_2_004015D7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_004015D7 SetUnhandledExceptionFilter, 3_2_004015D7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052C4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_052C4C7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052C1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_052C1361
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe NtClose: Indirect: 0x140077E81
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 301C008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0043916A LogonUserW, 0_2_0043916A
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_00436431
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\microsofts.exe "C:\Users\user\AppData\Local\Temp\microsofts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe "C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE6E4.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00445DD3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_052A8550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW, 3_2_052A8550
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Binary or memory string: Shell_TrayWnd
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000000.1679650804.0000000000482000.00000002.00000001.01000000.00000003.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_00410D10 cpuid 0_2_00410D10
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe VolumeInformation
Source: C:\Windows\System32\alg.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\AppVClient.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTE406.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTE455.tmp VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msdtc.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\Locator.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\SensorDataService.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\snmptrap.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Spectrum.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\TieringEngineService.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\AgentService.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\vds.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wbengine.exe Queries volume information: C:\ VolumeInformation
Queries time zone information
Source: C:\Windows\System32\TieringEngineService.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004223BC
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004711D2 GetUserNameW, 0_2_004711D2
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 0_2_0042039F
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 4.3.microsofts.exe.6a0000.1115.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.microsofts.exe.6a0000.923.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.6800000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.microsofts.exe.6d0000.1001.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.microsofts.exe.7dde10.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.6800000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.microsofts.exe.7dde10.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.microsofts.exe.6b0000.1002.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.microsofts.exe.6a0000.1158.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Native_Redline_BTC.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.2074768669.00000000073D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1766272892.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.1759244489.0000000000312000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1768367240.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2069994712.00000000073D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 5.2.Native_Redline_BTC.exe.12744d08.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Native_Redline_BTC.exe.127db188.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Native_Redline_BTC.exe.12744d08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Native_Redline_BTC.exe.1278ff50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Native_Redline_BTC.exe.1278ff50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.build.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Native_Redline_BTC.exe.127db188.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1795311525.0000000012787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.1782677998.0000000000332000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1946375903.0000000002736000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2073816640.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1795311525.00000000126F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1795311525.00000000127D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2069513140.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: microsofts.exe PID: 2172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Native_Redline_BTC.exe PID: 4340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: build.exe PID: 3848, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000002.1754480063.0000000000482000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Binary or memory string: WIN_XP
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Binary or memory string: WIN_XPe
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Binary or memory string: WIN_VISTA
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Binary or memory string: WIN_7
Yara detected Credential Stealer
Source: Yara match File source: 0000000B.00000002.1946375903.0000000002736000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 4.3.microsofts.exe.6a0000.1115.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.microsofts.exe.6a0000.923.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.6800000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.microsofts.exe.6d0000.1001.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.microsofts.exe.7dde10.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.6800000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.microsofts.exe.7dde10.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.microsofts.exe.6b0000.1002.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.microsofts.exe.6a0000.1158.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Native_Redline_BTC.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.2074768669.00000000073D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1766272892.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.1759244489.0000000000312000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1768367240.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2069994712.00000000073D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 5.2.Native_Redline_BTC.exe.12744d08.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Native_Redline_BTC.exe.127db188.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Native_Redline_BTC.exe.12744d08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Native_Redline_BTC.exe.1278ff50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Native_Redline_BTC.exe.1278ff50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.build.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Native_Redline_BTC.exe.127db188.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1795311525.0000000012787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.1782677998.0000000000332000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1946375903.0000000002736000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2073816640.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1795311525.00000000126F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1795311525.00000000127D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2069513140.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: microsofts.exe PID: 2172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Native_Redline_BTC.exe PID: 4340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: build.exe PID: 3848, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_004741BB
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 0_2_0046483C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0047AD92
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 2_2_004741BB
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 2_2_0046483C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe Code function: 2_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 2_2_0047AD92
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538180 Sample: RFQ_PO-GGA7765JK09_MATERIAL... Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 86 zlenh.biz 2->86 88 wllvnzb.biz 2->88 90 45 other IPs or domains 2->90 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 12 other signatures 2->120 12 RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe 1 2->12         started        15 alg.exe 2->15         started        18 AppVClient.exe 2->18         started        20 20 other processes 2->20 signatures3 process4 dnsIp5 138 Switches to a custom stack to bypass stack traces 12->138 140 Contains functionality to detect sleep reduction / modifications 12->140 22 RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe 12->22         started        25 svchost.exe 12->25         started        94 qaynky.biz 13.251.16.150, 49779, 49780, 49806 AMAZON-02US United States 15->94 96 yunalwv.biz 208.100.26.245, 49800, 49882, 49888 STEADFASTUS United States 15->96 98 10 other IPs or domains 15->98 142 Creates files in the system32 config directory 15->142 144 Contains functionality to behave differently if execute on a Russian/Kazak computer 15->144 146 Creates files inside the volume driver (system volume information) 20->146 148 Found direct / indirect Syscall (likely to bypass EDR) 20->148 signatures6 process7 signatures8 122 Writes to foreign memory regions 22->122 124 Maps a DLL or memory area into another process 22->124 27 svchost.exe 4 22->27         started        process9 file10 78 C:\Users\user\...\76fb15a314ced2a4.bin, DOS 27->78 dropped 80 C:\Users\user\AppData\...\microsofts.exe, PE32 27->80 dropped 82 C:\Users\user\...82ative_Redline_BTC.exe, PE32 27->82 dropped 84 C:\Program Files (x86)\...\armsvc.exe, PE32 27->84 dropped 150 Drops executable to a common third party application directory 27->150 152 Infects executable files (exe, dll, sys, html) 27->152 31 microsofts.exe 15 2 27->31         started        36 Native_Redline_BTC.exe 27->36         started        signatures11 process12 dnsIp13 100 acwjcqqv.biz 18.141.10.107, 49733, 49737, 49738 AMAZON-02US United States 31->100 102 s82.gocheapweb.com 51.195.88.199, 49741, 49754, 50035 OVHFR France 31->102 104 5 other IPs or domains 31->104 64 C:\Windows\System32\wbengine.exe, PE32+ 31->64 dropped 66 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 31->66 dropped 68 C:\Windows\System32\vds.exe, PE32+ 31->68 dropped 74 140 other malicious files 31->74 dropped 106 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->106 108 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->108 110 Tries to steal Mail credentials (via file / registry access) 31->110 112 5 other signatures 31->112 70 C:\Users\user\AppData\...\server_BTC.exe, PE32 36->70 dropped 72 C:\Users\user\AppData\Local\Temp\build.exe, PE32 36->72 dropped 38 build.exe 36->38         started        42 server_BTC.exe 36->42         started        file14 signatures15 process16 dnsIp17 92 212.162.149.53, 2049, 49736 UNREAL-SERVERSUS Netherlands 38->92 126 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->126 128 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->128 130 Tries to harvest and steal browser information (history, passwords, etc) 38->130 132 Tries to steal Crypto Currency Wallets 38->132 76 C:\Users\user\AppData\...\TrojanAIbot.exe, PE32 42->76 dropped 134 Uses schtasks.exe or at.exe to add and modify task schedules 42->134 136 Adds a directory exclusion to Windows Defender 42->136 45 powershell.exe 42->45         started        48 cmd.exe 42->48         started        50 schtasks.exe 42->50         started        52 TrojanAIbot.exe 42->52         started        file18 signatures19 process20 signatures21 154 Loading BitLocker PowerShell Module 45->154 54 conhost.exe 45->54         started        56 WmiPrvSE.exe 45->56         started        58 conhost.exe 48->58         started        60 timeout.exe 48->60         started        62 conhost.exe 50->62         started        process22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
165.160.15.20
 myups.biz United States
19574 CSCUS false
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
3.94.10.34
 ytctnunms.biz United States
14618 AMAZON-AESUS false
34.246.200.160
 tbjrpv.biz United States
16509 AMAZON-02US false
172.234.222.143
 przvgke.biz United States
20940 AKAMAI-ASN1EU false
18.208.156.248
 yauexmxk.biz United States
14618 AMAZON-AESUS false
34.211.97.45
 jpskm.biz United States
16509 AMAZON-02US false
208.100.26.245
 gytujflc.biz United States
32748 STEADFASTUS false
35.164.78.200
 nqwjmb.biz United States
16509 AMAZON-02US false
172.234.222.138
 fwiwk.biz United States
20940 AKAMAI-ASN1EU false
165.160.13.20
 unknown United States
19574 CSCUS false
51.195.88.199
 s82.gocheapweb.com France
16276 OVHFR false
212.162.149.53
 unknown Netherlands
64236 UNREAL-SERVERSUS true
44.213.104.86
 qpnczch.biz United States
14618 AMAZON-AESUS false
44.221.84.105
 jhvzpcfg.biz United States
14618 AMAZON-AESUS false
54.244.188.177
 oshhkdluh.biz United States
16509 AMAZON-02US false
13.251.16.150
 ifsaia.biz United States
16509 AMAZON-02US true
47.129.31.212
 ftxlah.biz Canada
34533 ESAMARA-ASRU false
82.112.184.197
 vjaxhpbji.biz Russian Federation
43267 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU false
18.141.10.107
 ssbzmoy.biz United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
oshhkdluh.biz 54.244.188.177 true
jpskm.biz 34.211.97.45 true
ftxlah.biz 47.129.31.212 true
vjaxhpbji.biz 82.112.184.197 true
pywolwnvd.biz 54.244.188.177 true
s82.gocheapweb.com 51.195.88.199 true
ifsaia.biz 13.251.16.150 true
ytctnunms.biz 3.94.10.34 true
lrxdmhrr.biz 54.244.188.177 true
vrrazpdh.biz 34.211.97.45 true
tbjrpv.biz 34.246.200.160 true
jhvzpcfg.biz 44.221.84.105 true
saytjshyf.biz 44.221.84.105 true
xlfhhhm.biz 47.129.31.212 true
fwiwk.biz 172.234.222.138 true
typgfhb.biz 13.251.16.150 true
npukfztj.biz 44.221.84.105 true
esuzf.biz 34.211.97.45 true
sxmiywsfv.biz 13.251.16.150 true
przvgke.biz 172.234.222.143 true
dwrqljrr.biz 54.244.188.177 true
myups.biz 165.160.15.20 true
gytujflc.biz 208.100.26.245 true
yauexmxk.biz 18.208.156.248 true
gvijgjwkh.biz 3.94.10.34 true
ssbzmoy.biz 18.141.10.107 true
knjghuig.biz 18.141.10.107 true
yunalwv.biz 208.100.26.245 true
gnqgo.biz 18.208.156.248 true
deoci.biz 18.208.156.248 true
brsua.biz 3.254.94.185 true
iuzpxe.biz 13.251.16.150 true
nqwjmb.biz 35.164.78.200 true
wllvnzb.biz 18.141.10.107 true
cvgrf.biz 54.244.188.177 true
qaynky.biz 13.251.16.150 true
lpuegx.biz 82.112.184.197 true
bumxkqgxu.biz 44.221.84.105 true
qpnczch.biz 44.213.104.86 true
api.ipify.org 104.26.12.205 true
vcddkls.biz 18.141.10.107 true
acwjcqqv.biz 18.141.10.107 true
vyome.biz 44.213.104.86 true
uhxqin.biz unknown unknown
anpmnmxo.biz unknown unknown
zlenh.biz unknown unknown
lejtdj.biz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://przvgke.biz/rvac false
    		unknown
    http://jhvzpcfg.biz/ccaldaoawyay false
      		unknown
      http://typgfhb.biz/m true
        		unknown
        http://ssbzmoy.biz/d true
          		unknown
          http://lrxdmhrr.biz/gxaexbrilqhff false
            		unknown
            http://lpuegx.biz/caxqycgeiaamd false
              		unknown
              http://pywolwnvd.biz/tynxrhlkri false
                		unknown
                http://fwiwk.biz/yr false
                  		unknown
                  http://myups.biz/ewwexq false
                    		unknown
                    http://dwrqljrr.biz/ikvygvnodbxw false
                      		unknown
                      http://ssbzmoy.biz/mrl true
                        		unknown
                        http://gytujflc.biz/hvyr false
                          		unknown
                          http://ytctnunms.biz/rnre false
                            		unknown
                            http://cvgrf.biz/smyj false
                              		unknown
                              http://lpuegx.biz/ioeeuacevdof false
                                		unknown
                                http://ssbzmoy.biz/dggpmrspif true
                                  		unknown
                                  http://cvgrf.biz/xefutga false
                                    		unknown
                                    http://knjghuig.biz/vuaobjwmdbxko true
                                      		unknown
                                      http://yauexmxk.biz/tkikmchfy false
                                        		unknown
                                        http://bumxkqgxu.biz/hnkvsfse false
                                          		unknown
                                          http://deoci.biz/mytb false
                                            		unknown
                                            http://iuzpxe.biz/fapfitlarmcnk true
                                              		unknown
                                              http://tbjrpv.biz/yfkb false
                                                		unknown
                                                http://wllvnzb.biz/vwiainnwhhxhmrl true
                                                  		unknown
                                                  http://lpuegx.biz/yeeuocokpp false
                                                    		unknown
                                                    http://lrxdmhrr.biz/unbrcr false
                                                      		unknown
                                                      http://saytjshyf.biz/vf false
                                                        		unknown
                                                        http://nqwjmb.biz/mag false
                                                          		unknown
                                                          http://qaynky.biz/xraiohcidq true
                                                            		unknown
                                                            http://gytujflc.biz/pyjgudwdt false
                                                              		unknown
                                                              http://ftxlah.biz/gs false
                                                                		unknown
                                                                http://tbjrpv.biz/fkekmmmc false
                                                                  		unknown
                                                                  http://oshhkdluh.biz/hlqwiqs false
                                                                    		unknown
                                                                    http://sxmiywsfv.biz/wgsqpusbi true
                                                                      		unknown
                                                                      http://vjaxhpbji.biz/spftv false
                                                                        		unknown
                                                                        http://xlfhhhm.biz/uxri false
                                                                          		unknown
                                                                          http://gnqgo.biz/lix false
                                                                            		unknown
                                                                            http://deoci.biz/prvlplgfktyghiuq false
                                                                              		unknown
                                                                              http://yunalwv.biz/qsp false
                                                                                		unknown
                                                                                http://nqwjmb.biz/swl false
                                                                                  		unknown
                                                                                  http://vrrazpdh.biz/qsxryrm false
                                                                                    		unknown
                                                                                    http://vyome.biz/b false
                                                                                      		unknown
                                                                                      http://fwiwk.biz/bql false
                                                                                        		unknown
                                                                                        http://jhvzpcfg.biz/qsmoxnmhx false
                                                                                          		unknown
                                                                                          http://saytjshyf.biz/sattbfx false
                                                                                            		unknown
                                                                                            http://jhvzpcfg.biz/ccrsdbhein false
                                                                                              		unknown